From db505281ee12e526e1dbe776daea3e16b242cb87 Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@netways.de>
Date: Thu, 30 Jul 2015 09:33:04 +0200
Subject: [PATCH] lib: Disable CSRF token on HTTP authenticated users and not
 XHR

refs #9660
---
 library/Icinga/Web/Form.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/library/Icinga/Web/Form.php b/library/Icinga/Web/Form.php
index 626ac49af..1c106e017 100644
--- a/library/Icinga/Web/Form.php
+++ b/library/Icinga/Web/Form.php
@@ -948,10 +948,18 @@ class Form extends Zend_Form
      */
     public function addCsrfCounterMeasure()
     {
-        if (! $this->tokenDisabled && $this->getElement($this->tokenElementName) === null) {
-            $this->addElement(new CsrfCounterMeasure($this->tokenElementName));
+        if (! $this->tokenDisabled) {
+            $request = $this->getRequest();
+            if (! $request->isXmlHttpRequest()
+                && ($user = $request->getUser()) !== null
+                && $user->getIsHttpUser()
+            ) {
+                return $this;
+            }
+            if ($this->getElement($this->tokenElementName) === null) {
+                $this->addElement(new CsrfCounterMeasure($this->tokenElementName));
+            }
         }
-
         return $this;
     }