From a0ba7da786f6fa0ccaf58c88832fd0ed307b0461 Mon Sep 17 00:00:00 2001
From: Tim Steiner <tsteiner2@unl.edu>
Date: Tue, 23 Mar 2010 22:29:01 +0000
Subject: [PATCH] Add XSRF protection to the requests/index/decide.post action.

---
 .../modules/courses/views/scripts/view/index.phtml        | 1 +
 .../modules/requests/controllers/IndexController.php      | 8 ++++++++
 .../modules/requests/views/scripts/index/index.phtml      | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/application/modules/courses/views/scripts/view/index.phtml b/application/modules/courses/views/scripts/view/index.phtml
index 403de4a9..b6ff02e8 100644
--- a/application/modules/courses/views/scripts/view/index.phtml
+++ b/application/modules/courses/views/scripts/view/index.phtml
@@ -167,6 +167,7 @@ $this->layout()->breadcrumbs = array($breadcrumb . ': ' . $this->course->getCour
     
     <?php if ($this->action) { ?>
     <form id="decisionForm" action="<?php echo $this->baseUrl(); ?>/requests/index/decide.post">
+        <?php echo $this->formHidden('xsrfToken', Unl_XsrfToken::getInstance()->create()); ?>
         Action: <?php echo $this->action->getName(); ?><br />
         <?php echo $this->formHidden('returnUrl', '/courses/view/index/id/' . $this->request->getId()); ?>
         <?php echo $this->formSelect('decisions[' . $this->request->getId() . ']', $this->selectedDecision, null, array('_null' => $this->defaultDecision) + $this->action->getResultStatusStrings($this->user)); ?>
diff --git a/application/modules/requests/controllers/IndexController.php b/application/modules/requests/controllers/IndexController.php
index 97adc904..d46f2b56 100644
--- a/application/modules/requests/controllers/IndexController.php
+++ b/application/modules/requests/controllers/IndexController.php
@@ -239,11 +239,19 @@ class Requests_IndexController extends App_Controller_Action
 				}
             }
 		}
+		
+		$this->view->xsrfToken = Unl_XsrfToken::getInstance()->create();
 	}
 
 	public function decidePostAction()
 	{
 	    $in = $this->getRequest()->getParams();
+	    
+	    if (!Unl_XsrfToken::getInstance()->verify($in['xsrfToken'])) {
+	    	throw new Zend_Exception('Invalid XSRF Token! Please go back click the Refresh button while holding Shift.');
+	    }
+	    
+	    exit;
 
 	    $requestDecisions = array();
 	    foreach ($in['decisions'] as $requestId => $decision) {
diff --git a/application/modules/requests/views/scripts/index/index.phtml b/application/modules/requests/views/scripts/index/index.phtml
index a38e2504..7a56ca93 100644
--- a/application/modules/requests/views/scripts/index/index.phtml
+++ b/application/modules/requests/views/scripts/index/index.phtml
@@ -110,6 +110,7 @@
     </div>
     <div class="content">
     <form action="<?php echo $this->baseUrl(); ?>/requests/index/decide.post" method="post">
+        <?php echo $this->formHidden('xsrfToken', $this->xsrfToken); ?>
         <?php if(count($this->userRequests) == 0) { ?>
         <h2>You currently have no requests.</h2>
         <?php } else { ?>
@@ -269,6 +270,7 @@ foreach($this->roles as $roleData) {
         	<?php } ?>
 
         <form action="<?php echo $this->baseUrl(); ?>/requests/index/decide.post" method="post">
+            <?php echo $this->formHidden('xsrfToken', $this->xsrfToken); ?>
             <div class="setAllDecisions">
                 <?php echo $this->formSubmit('submit', 'Submit Decisions'); ?>
             </div>
-- 
GitLab