/**
* Validates the presence of action tokens.
*
* This function is called for all actions. If action tokens are missing,
* the user will be forwarded to the site front page and an error emitted.
*
* This function verifies form input for security features (like a generated token),
* and forwards if they are invalid.
*
* @return mixed True if valid or redirects.
* @access private
*/
function action_gatekeeper()
{
if (validate_action_token()) {
return TRUE;
}
forward(REFERER, 'csrf');
}
/**
* Action gatekeeper.
* This function verifies form input for security features (like a generated token), and forwards
* the page if they are invalid.
*
* Place at the head of actions.
*/
function action_gatekeeper()
{
if (validate_action_token()) {
return true;
}
forward();
exit;
}
/**
* @see action_gatekeeper
* @access private
*/
public function gatekeeper($action)
{
if ($action === 'login') {
if ($this->validateActionToken(false)) {
return true;
}
$token = get_input('__elgg_token');
$ts = (int) get_input('__elgg_ts');
if ($token && $this->validateTokenTimestamp($ts)) {
// The tokens are present and the time looks valid: this is probably a mismatch due to the
// login form being on a different domain.
register_error(elgg_echo('actiongatekeeper:crosssitelogin'));
forward('login', 'csrf');
}
// let the validator send an appropriate msg
validate_action_token();
} else {
if ($this->validateActionToken()) {
return true;
}
}
forward(REFERER, 'csrf');
}
