Merging 2.5.x into saas

airtime_mvc/application/controllers/LoginController.php

@@ -61,6 +61,7 @@ class LoginController extends Zend_Controller_Action
                 
                 $result = $auth->authenticate($authAdapter);
                 if ($result->isValid()) {
+                    Zend_Session::regenerateId();
                     //all info about this user from the login table omit only the password
                     $userInfo = $authAdapter->getResultRowObject(null, 'password');
 
@@ -81,6 +82,7 @@ class LoginController extends Zend_Controller_Action
                     $auth = Zend_Auth::getInstance();
                     $result = $auth->authenticate($authAdapter);
                     if ($result->isValid()) {
+                        Zend_Session::regenerateId();
                         //set the user locale in case user changed it in when logging in
                         Application_Model_Preference::SetUserLocale($locale);
                         

airtime_mvc/application/modules/rest/controllers/MediaController.php

@@ -129,6 +129,15 @@ class Rest_MediaController extends Zend_Rest_Controller
     
     public function postAction()
     {
+        /*  If the user presents a valid API key, we don't check CSRF tokens.  
+            CSRF tokens are only used for session based authentication.
+        */
+        if(!$this->verifyAPIKey()){
+            if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){
+                return;
+            }
+        }
+
         if (!$this->verifyAuth(true, true))
         {
             return;
@@ -294,6 +303,21 @@ class Rest_MediaController extends Zend_Rest_Controller
         } 
         return $id;
     }
+
+    private function verifyCSRFToken($token){
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $token;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if($observed_csrf_token == $expected_csrf_token){
+            return true;
+        }else{
+            $resp = $this->getResponse();
+            $resp->setHttpResponseCode(401);
+            $resp->appendBody("ERROR: Token Missmatch."); 
+            return false;
+        }
+    }
     
     private function verifyAuth($checkApiKey, $checkSession)
     {

airtime_mvc/application/views/scripts/form/edit-user.phtml

@@ -166,10 +166,7 @@
                 </ul>
             <?php endif; ?> 
         </dd>
-
         <?php echo $this->element->getElement('csrf') ?>
-
-        <button type="submit" id="cu_save_user" class="btn btn-small right-floated"><?php echo _("Save")?></button>
     </dl>
     <button type="submit" id="cu_save_user" class="btn btn-small right-floated"><?php echo _("Save")?></button>
 </form>

airtime_mvc/application/views/scripts/plupload/index.phtml

@@ -11,8 +11,8 @@
 }
 ?>
 <form id="plupload_form" <?php if ($this->quotaLimitReached) { ?> class="hidden" <?php } ?>>
-        <?php echo $this->form->getElement('csrf') ?>
-	<div id="plupload_files"></div>	
+    <?php echo $this->form->getElement('csrf') ?>
+    <div id="plupload_files"></div>	
 </form>
 <div id="plupload_error">
 	<table></table>