Jingga/phpOMS
1
0
Fork 0
mirror of https://github.com/Karaka-Management/phpOMS.git synced 2026-02-07 21:18:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add optional csrf check in routing

Browse Source
This commit is contained in:
Dennis Eichhorn 2019-04-12 22:37:18 +02:00
parent c01846ca1f
commit 35360ef7a8
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Router/Router.php
View File

@ -110,13 +110,24 @@ final class Router
foreach ($this->routes as $route => $destination) { foreach ($this->routes as $route => $destination) {
foreach ($destination as $d) { foreach ($destination as $d) {
if ($this->match($route, $d['verb'], $request, $verb)) { if ($this->match($route, $d['verb'], $request, $verb)) {
if (!isset($d['permission'], $account) // if csrf is required but not set
|| $account->hasPermission($d['permission']['type'], $orgId, $app, $d['permission']['module'], $d['permission']['state']) if (isset($d['csrf']) && !$d['csrf']) {
) {
$bound[] = ['dest' => $d['dest']];
} else {
\array_merge($bound, $this->route('/' . $app . '/e403', $verb)); \array_merge($bound, $this->route('/' . $app . '/e403', $verb));
continue;
} }
// if permission check is invalid
if ((isset($d['permission']) && $account === null)
|| (isset($d['permission'])
&& !$account->hasPermission($d['permission']['type'], $orgId, $app, $d['permission']['module'], $d['permission']['state']))
) {
\array_merge($bound, $this->route('/' . $app . '/e403', $verb));
continue;
}
$bound[] = ['dest' => $d['dest']];
} }
} }
} }