Nemcio/Grav-Admin-Plugin
1
0
Fork 0
mirror of https://github.com/getgrav/grav-plugin-admin.git synced 2026-01-06 15:43:01 +01:00
Code Issues Packages Projects Releases Activity

Add nonce verification to all get requests with the task param

Browse Source
This commit is contained in:
Flavio Copes
2015-11-19 22:54:17 +01:00
parent 0e4b451f80
commit 1f6bda7d75
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
classes/controller.php
View File

@@ -94,10 +94,17 @@ class AdminController
}
unset($this->post['admin-nonce']);
} else {
if ($this->task == 'logout') {
if ($this->task == 'logout') {
$nonce = $this->grav['uri']->param('logout-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'logout-form')) {
return;
$this->admin->setMessage('Unauthorized', 'error');
return false;
}
} else {
$nonce = $this->grav['uri']->param('admin-nonce');
if (!isset($nonce) || !Utils::verifyNonce($nonce, 'admin-form')) {
$this->admin->setMessage('Unauthorized', 'error');
return false;
}
}
}