/**
* Check for signs of a CSRF attack and only
* run the save function if the coast is clear.
* @param Controller $controller
*/
function csrfProtect($controller)
{
$request = $controller->request;
$save_method = underscoreToMethod($controller->action . "Save");
if (!method_exists($controller, $save_method)) {
return false;
}
if (isset($request['csrf'])) {
$sess_token = $controller->session->get('csrf_token');
$req_token = $request['csrf'];
$match = $req_token == $sess_token;
if (!$match) {
$controller->save_status = "bad csrf";
$controller->error("bad csrf");
return false;
} else {
if (isset($_SERVER['referer'])) {
$domain = parse_url($_SERVER['referer']);
$domain = $domain['host'];
if ($domain != $controller->config['domain']) {
$controller->save_status = "bad referer";
$controller->error("bad referer");
return false;
}
}
}
} else {
$controller->save_status = "no csrf";
$controller->error("no csrf");
return false;
}
$controller->save_status = "success";
return true;
}
/**
* Find the appropriate method, execute it,
* and render the corresponding template.
* @ignore
*/
function execute()
{
if ($this->do_save) {
$save_func = underscoreToMethod($this->action) . "Save";
if (method_exists($this, $save_func)) {
$this->{$save_func}($this->request);
}
}
if ($this->do_run) {
$run_func = underscoreToMethod($this->action) . "Run";
if (method_exists($this, $run_func)) {
$this->{$run_func}($this->request);
} else {
if (method_exists($this, 'defaultRun')) {
$this->view = 'default';
$this->defaultRun($this->request);
} else {
$this->renderer = new FourOhFourRenderer();
}
}
}
}