tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lib: Disable CSRF token on HTTP authenticated users and not XHR 

refs #9660
This commit is contained in:
Eric Lippmann 2015-07-30 09:33:04 +02:00
parent 36ff2d8914
commit db505281ee
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
library/Icinga/Web/Form.php
View File

@ -948,10 +948,18 @@ class Form extends Zend_Form
*/
public function addCsrfCounterMeasure()
{
if (! $this->tokenDisabled && $this->getElement($this->tokenElementName) === null) {
$this->addElement(new CsrfCounterMeasure($this->tokenElementName));
if (! $this->tokenDisabled) {
$request = $this->getRequest();
if (! $request->isXmlHttpRequest()
&& ($user = $request->getUser()) !== null
&& $user->getIsHttpUser()
) {
return $this;
}
if ($this->getElement($this->tokenElementName) === null) {
$this->addElement(new CsrfCounterMeasure($this->tokenElementName));
}
}
return $this;
}