Jingga/phpOMS
1
0
Fork 0
mirror of https://github.com/Karaka-Management/phpOMS.git synced 2026-01-11 09:48:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add optional csrf check in routing

Browse Source
This commit is contained in:
Dennis Eichhorn 2019-04-12 22:37:18 +02:00
parent c01846ca1f
commit 35360ef7a8
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Router/Router.php
View File

@ -110,13 +110,24 @@ final class Router
foreach ($this->routes as $route => $destination) {
foreach ($destination as $d) {
if ($this->match($route, $d['verb'], $request, $verb)) {
if (!isset($d['permission'], $account)
|| $account->hasPermission($d['permission']['type'], $orgId, $app, $d['permission']['module'], $d['permission']['state'])
) {
$bound[] = ['dest' => $d['dest']];
} else {
// if csrf is required but not set
if (isset($d['csrf']) && !$d['csrf']) {
\array_merge($bound, $this->route('/' . $app . '/e403', $verb));
continue;
}
// if permission check is invalid
if ((isset($d['permission']) && $account === null)
|| (isset($d['permission'])
&& !$account->hasPermission($d['permission']['type'], $orgId, $app, $d['permission']['module'], $d['permission']['state']))
) {
\array_merge($bound, $this->route('/' . $app . '/e403', $verb));
continue;
}
$bound[] = ['dest' => $d['dest']];
}
}
}