From 9e0a28cd8ba3ba25335dbac622c863db813ee8de Mon Sep 17 00:00:00 2001 From: Flavio Copes Date: Tue, 29 Dec 2015 16:06:57 +0100 Subject: [PATCH] Allow to set the nonce for a POST action in the query url too --- classes/controller.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/classes/controller.php b/classes/controller.php index e9d6450e..37628332 100644 --- a/classes/controller.php +++ b/classes/controller.php @@ -90,7 +90,12 @@ class AdminController { if (method_exists('Grav\Common\Utils', 'getNonce')) { if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') { - if (!isset($this->post['admin-nonce']) || !Utils::verifyNonce($this->post['admin-nonce'], 'admin-form')) { + if (isset($this->post['admin-nonce'])) { + $nonce = $this->post['admin-nonce']; + } else { + $nonce = $this->grav['uri']->param('admin-nonce'); + } + if (!$nonce || !Utils::verifyNonce($nonce, 'admin-form')) { $this->admin->setMessage($this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN'), 'error'); $this->admin->json_response = ['status' => 'error', 'message' => $this->admin->translate('PLUGIN_ADMIN.INVALID_SECURITY_TOKEN')]; return false;