Merge branch 'cc-5709-airtime-analyzer' into cc-5709-airtime-analyzer-cloud-storage

2014-10-30 12:17:34 -04:00 · 2014-10-30 12:17:34 -04:00 · b871b32175
commit b871b32175
parent e23649173d 54d1bcf81e
10 changed files with 724 additions and 246 deletions
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@ -315,12 +315,18 @@ class Rest_MediaController extends Zend_Rest_Controller
        } 
        return $id;
    }
-    
+
    private function verifyAuth($checkApiKey, $checkSession)
    {
-        //Session takes precedence over API key for now:
-        if ($checkSession && $this->verifySession()) 
-        {
+        //  Session takes precedence over API key for now:
+        if ($checkSession && $this->verifySession()) {
+            //  CSRF token validation only applies to session based authorization.
+            if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){
+                $resp = $this->getResponse();
+                $resp->setHttpResponseCode(401);
+                $resp->appendBody("ERROR: Token Missmatch."); 
+                return false;
+            }
            return true;
        }
        
@ -336,6 +342,17 @@ class Rest_MediaController extends Zend_Rest_Controller
        return false;
    }
    
+    private function verifyCSRFToken($token){
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $token;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if($observed_csrf_token == $expected_csrf_token){
+            return true;
+        }else{
+            return false;
+        }
+    }

    private function verifyAPIKey()
    {