Added compatability with reentrant login methods.

zikula-modules · Jul 29, 2013 · 6a4bef0 · 6a4bef0
1 parent 961694e
commit 6a4bef0
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/Listener/UsersUiHandler.php b/Listener/UsersUiHandler.php
@@ -271,9 +271,14 @@ public function uiEdit(Zikula_Event $event)
     public function validateEdit(Zikula_Event $event)
     {
         if (!$this->request->isPost()) {
-            // Validation is only appropriate for a post, otherwise it is probably a hack attempt.
+            // Check if we got here by a reentrant login method.
+            $sessionVars = $this->request->getSession()->get('Users_Controller_User_login', array(), 'Zikula_Users');
+            $getReentrantToken = $this->request->query->get('reentranttoken', null);
+            if (!isset($sessionVars['reentranttoken']) || !isset($getReentrantToken) || $getReentrantToken != $sessionVars['reentranttoken']) {
+                // Not reentrant login method,  it is probably a hack attempt.
                 throw new Zikula_Exception_Forbidden();
             }
+        }
 
         // If there is no 'acceptedpolicies_uid' in the POST, then there is no attempt to update the acceptance of policies,
         // So there is nothing to validate.