From 9d822b6e8b269ff68e5d90b3acb3385b0d362ef6 Mon Sep 17 00:00:00 2001 From: Duncan Sommerville Date: Wed, 13 May 2015 17:58:02 -0400 Subject: [PATCH] Only use API authentication (not session) when validating termination requests --- .../application/controllers/ProvisioningController.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/airtime_mvc/application/controllers/ProvisioningController.php b/airtime_mvc/application/controllers/ProvisioningController.php index cda59e0db..06ee7a2ab 100644 --- a/airtime_mvc/application/controllers/ProvisioningController.php +++ b/airtime_mvc/application/controllers/ProvisioningController.php @@ -57,13 +57,16 @@ class ProvisioningController extends Zend_Controller_Action /** * Delete the Airtime Pro station's files from Amazon S3 + * + * FIXME: When we deploy this next time, we should ensure that + * this function can only be accessed with POST requests! */ public function terminateAction() { $this->view->layout()->disableLayout(); $this->_helper->viewRenderer->setNoRender(true); - if (!RestAuth::verifyAuth(true, true, $this)) { + if (!RestAuth::verifyAuth(true, false, $this)) { return; }