From 44a003b78717bda51ff6ab4b6d38291b063fd512 Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Wed, 5 Jun 2019 22:24:55 +0200
Subject: [PATCH] improve csrf check

---
 Router/Router.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Router/Router.php b/Router/Router.php
index a80364ffd..1d1b5fa25 100644
--- a/Router/Router.php
+++ b/Router/Router.php
@@ -43,8 +43,9 @@ final class Router
      * Files need to return a php array of the following structure:
      * return [
      *      '{REGEX_PATH}' => [
-     *          'dest' => '{DESTINATION_NAMESPACE:method}', // can also be static by using :: between namespace and functio name
+     *          'dest' => '{DESTINATION_NAMESPACE:method}', // can also be static by using :: between namespace and function name
      *          'verb' => RouteVerb::{VERB},
+     *          'csrf' => true,
      *          'permission' => [ // optional
      *              'module' => '{MODULE_NAME}',
      *              'type' => PermissionType::{TYPE},
@@ -131,7 +132,7 @@ final class Router
                     || ($verb & $d['verb']) === $verb
                 ) {
                     // if csrf is required but not set
-                    if (isset($d['csrf']) && $csrf === null) {
+                    if (isset($d['csrf']) && $d['csrf'] && $csrf === null) {
                         \array_merge($bound, $this->route('/' . $app . '/e403', $csrf, $verb));
 
                         continue;