summaryrefslogtreecommitdiff
path: root/actions/newnotice.php
diff options
context:
space:
mode:
Diffstat (limited to 'actions/newnotice.php')
-rw-r--r--actions/newnotice.php25
1 files changed, 16 insertions, 9 deletions
diff --git a/actions/newnotice.php b/actions/newnotice.php
index b5fc98c37..37cca982d 100644
--- a/actions/newnotice.php
+++ b/actions/newnotice.php
@@ -20,7 +20,7 @@
if (!defined('LACONICA')) { exit(1); }
class NewnoticeAction extends Action {
-
+
function handle($args) {
parent::handle($args);
# XXX: Ajax!
@@ -36,10 +36,17 @@ class NewnoticeAction extends Action {
function save_new_notice() {
+ # CSRF protection - token set in common_notice_form()
+ $token = $this->trimmed('token');
+ if (!$token || $token != common_session_token()) {
+ $this->client_error(_('There was a problem with your session token. Try again, please.'));
+ return;
+ }
+
$user = common_current_user();
assert($user); # XXX: maybe an error instead...
$content = $this->trimmed('status_textarea');
-
+
if (!$content) {
$this->show_form(_('No content!'));
return;
@@ -51,9 +58,9 @@ class NewnoticeAction extends Action {
}
$inter = new CommandInterpreter();
-
+
$cmd = $inter->handle_command($user, $content);
-
+
if ($cmd) {
$cmd->execute(new WebChannel());
return;
@@ -62,18 +69,18 @@ class NewnoticeAction extends Action {
$replyto = $this->trimmed('inreplyto');
common_debug("Replyto = $replyto\n");
-
+
$notice = Notice::saveNew($user->id, $content, 'web', 1, ($replyto == 'false') ? NULL : $replyto);
-
+
if (is_string($notice)) {
$this->show_form($notice);
return;
}
-
+
common_broadcast_notice($notice);
-
+
$returnto = $this->trimmed('returnto');
-
+
if ($returnto) {
$url = common_local_url($returnto,
array('nickname' => $user->nickname));