From 35360ef7a8b0ed54ccc98b8d28e5f022ecf84beb Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Fri, 12 Apr 2019 22:37:18 +0200
Subject: [PATCH] Add optional csrf check in routing

---
 Router/Router.php | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/Router/Router.php b/Router/Router.php
index c5f272834..d5ced8903 100644
--- a/Router/Router.php
+++ b/Router/Router.php
@@ -110,13 +110,24 @@ final class Router
         foreach ($this->routes as $route => $destination) {
             foreach ($destination as $d) {
                 if ($this->match($route, $d['verb'], $request, $verb)) {
-                    if (!isset($d['permission'], $account)
-                        || $account->hasPermission($d['permission']['type'], $orgId, $app, $d['permission']['module'], $d['permission']['state'])
-                    ) {
-                        $bound[] = ['dest' => $d['dest']];
-                    } else {
+                    // if csrf is required but not set
+                    if (isset($d['csrf']) && !$d['csrf']) {
                         \array_merge($bound, $this->route('/' . $app . '/e403', $verb));
+
+                        continue;
                     }
+
+                    // if permission check is invalid
+                    if ((isset($d['permission']) && $account === null)
+                        || (isset($d['permission'])
+                            && !$account->hasPermission($d['permission']['type'], $orgId, $app, $d['permission']['module'], $d['permission']['state']))
+                    ) {
+                        \array_merge($bound, $this->route('/' . $app . '/e403', $verb));
+
+                        continue;
+                    }
+
+                    $bound[] = ['dest' => $d['dest']];
                 }
             }
         }