From 1f6bda7d75ede060e4a7b9954bdb941d61cfa104 Mon Sep 17 00:00:00 2001
From: Flavio Copes <copesc@gmail.com>
Date: Thu, 19 Nov 2015 22:54:17 +0100
Subject: [PATCH] Add nonce verification to all get requests with the task
 param

---
 classes/controller.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/classes/controller.php b/classes/controller.php
index 967ffbec..e93859b9 100644
--- a/classes/controller.php
+++ b/classes/controller.php
@@ -94,10 +94,17 @@ class AdminController
                 }
                 unset($this->post['admin-nonce']);
             } else {
-               if ($this->task == 'logout') {
+                if ($this->task == 'logout') {
                     $nonce = $this->grav['uri']->param('logout-nonce');
                     if (!isset($nonce) || !Utils::verifyNonce($nonce, 'logout-form')) {
-                        return;
+                        $this->admin->setMessage('Unauthorized', 'error');
+                        return false;
+                    }
+                } else {
+                    $nonce = $this->grav['uri']->param('admin-nonce');
+                    if (!isset($nonce) || !Utils::verifyNonce($nonce, 'admin-form')) {
+                        $this->admin->setMessage('Unauthorized', 'error');
+                        return false;
                     }
                 }
             }