Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed CSRF token checking in MediaController (broken by last 2 commits) 

* Also fixed getOwnerId(), no longer calls a non-existent function
This commit is contained in:
Albert Santoni 2015-01-22 12:20:13 -05:00
parent 476128ce87
commit d5ee710f89
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
airtime_mvc/application/controllers/plugins/Acl_plugin.php
View File

@ -146,7 +146,14 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
// If we have an identity and we're making a RESTful request,
// we need to check the CSRF token
if ($request->_action != "get" && $request->getModuleName() == "rest") {
$this->verifyCSRFToken($request->getParam("csrf_token"));
$tokenValid = $this->verifyCSRFToken($request->getParam("csrf_token"));
if (!$tokenValid) {
$this->getResponse()
->setHttpResponseCode(401)
->appendBody("ERROR: CSRF token mismatch.");
return;
}
}
$userInfo = Zend_Auth::getInstance()->getStorage()->read();
@ -189,10 +196,8 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
$current_namespace = new Zend_Session_Namespace('csrf_namespace');
$observed_csrf_token = $token;
$expected_csrf_token = $current_namespace->authtoken;
$this->getResponse()
->setHttpResponseCode(401)
->appendBody("ERROR: CSRF token mismatch.");
Logging::error("Observed: " . $observed_csrf_token);
Logging::error("Expected: " . $expected_csrf_token);
return ($observed_csrf_token == $expected_csrf_token);
}

2
airtime_mvc/application/modules/rest/controllers/MediaController.php
View File

@ -338,7 +338,7 @@ class Rest_MediaController extends Zend_Rest_Controller
private function getOwnerId()
{
try {
if ($this->verifySession()) {
if (Zend_Auth::getInstance()->hasIdentity()) {
$service_user = new Application_Service_UserService();
return $service_user->getCurrentUser()->getDbId();
} else {