/** * Validates the presence of action tokens. * * This function is called for all actions. If action tokens are missing, * the user will be forwarded to the site front page and an error emitted. * * This function verifies form input for security features (like a generated token), * and forwards if they are invalid. * * @return mixed True if valid or redirects. * @access private */ function action_gatekeeper() { if (validate_action_token()) { return TRUE; } forward(REFERER, 'csrf'); }
/** * Action gatekeeper. * This function verifies form input for security features (like a generated token), and forwards * the page if they are invalid. * * Place at the head of actions. */ function action_gatekeeper() { if (validate_action_token()) { return true; } forward(); exit; }
/** * @see action_gatekeeper * @access private */ public function gatekeeper($action) { if ($action === 'login') { if ($this->validateActionToken(false)) { return true; } $token = get_input('__elgg_token'); $ts = (int) get_input('__elgg_ts'); if ($token && $this->validateTokenTimestamp($ts)) { // The tokens are present and the time looks valid: this is probably a mismatch due to the // login form being on a different domain. register_error(elgg_echo('actiongatekeeper:crosssitelogin')); forward('login', 'csrf'); } // let the validator send an appropriate msg validate_action_token(); } else { if ($this->validateActionToken()) { return true; } } forward(REFERER, 'csrf'); }