From d5ee710f89d3378ced237ecedde107e8720c1dc5 Mon Sep 17 00:00:00 2001
From: Albert Santoni <albert.santoni@sourcefabric.org>
Date: Thu, 22 Jan 2015 12:20:13 -0500
Subject: [PATCH] Fixed CSRF token checking in MediaController (broken by last
 2 commits)

* Also fixed getOwnerId(), no longer calls a non-existent function
---
 .../controllers/plugins/Acl_plugin.php            | 15 ++++++++++-----
 .../modules/rest/controllers/MediaController.php  |  2 +-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php
index 1918430ea..4fa993e29 100644
--- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php
+++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php
@@ -146,7 +146,14 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
             // If we have an identity and we're making a RESTful request,
             // we need to check the CSRF token
             if ($request->_action != "get" && $request->getModuleName() == "rest") {
-                $this->verifyCSRFToken($request->getParam("csrf_token"));
+                $tokenValid = $this->verifyCSRFToken($request->getParam("csrf_token"));
+
+                if (!$tokenValid) {
+                    $this->getResponse()
+                         ->setHttpResponseCode(401)
+                         ->appendBody("ERROR: CSRF token mismatch.");
+                    return;
+                }
             }
             
             $userInfo = Zend_Auth::getInstance()->getStorage()->read();
@@ -189,10 +196,8 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
         $current_namespace = new Zend_Session_Namespace('csrf_namespace');
         $observed_csrf_token = $token;
         $expected_csrf_token = $current_namespace->authtoken;
-    
-        $this->getResponse()
-             ->setHttpResponseCode(401)
-             ->appendBody("ERROR: CSRF token mismatch.");
+        Logging::error("Observed: " . $observed_csrf_token);
+        Logging::error("Expected: " . $expected_csrf_token);
         
         return ($observed_csrf_token == $expected_csrf_token);
     }
diff --git a/airtime_mvc/application/modules/rest/controllers/MediaController.php b/airtime_mvc/application/modules/rest/controllers/MediaController.php
index a5ee08fd9..7a7810711 100644
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@@ -338,7 +338,7 @@ class Rest_MediaController extends Zend_Rest_Controller
     private function getOwnerId()
     {
         try {
-            if ($this->verifySession()) {
+            if (Zend_Auth::getInstance()->hasIdentity()) {
                 $service_user = new Application_Service_UserService();
                 return $service_user->getCurrentUser()->getDbId();
             } else {