diff options
Diffstat (limited to 'actions/newnotice.php')
-rw-r--r-- | actions/newnotice.php | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/actions/newnotice.php b/actions/newnotice.php index b5fc98c37..37cca982d 100644 --- a/actions/newnotice.php +++ b/actions/newnotice.php @@ -20,7 +20,7 @@ if (!defined('LACONICA')) { exit(1); } class NewnoticeAction extends Action { - + function handle($args) { parent::handle($args); # XXX: Ajax! @@ -36,10 +36,17 @@ class NewnoticeAction extends Action { function save_new_notice() { + # CSRF protection - token set in common_notice_form() + $token = $this->trimmed('token'); + if (!$token || $token != common_session_token()) { + $this->client_error(_('There was a problem with your session token. Try again, please.')); + return; + } + $user = common_current_user(); assert($user); # XXX: maybe an error instead... $content = $this->trimmed('status_textarea'); - + if (!$content) { $this->show_form(_('No content!')); return; @@ -51,9 +58,9 @@ class NewnoticeAction extends Action { } $inter = new CommandInterpreter(); - + $cmd = $inter->handle_command($user, $content); - + if ($cmd) { $cmd->execute(new WebChannel()); return; @@ -62,18 +69,18 @@ class NewnoticeAction extends Action { $replyto = $this->trimmed('inreplyto'); common_debug("Replyto = $replyto\n"); - + $notice = Notice::saveNew($user->id, $content, 'web', 1, ($replyto == 'false') ? NULL : $replyto); - + if (is_string($notice)) { $this->show_form($notice); return; } - + common_broadcast_notice($notice); - + $returnto = $this->trimmed('returnto'); - + if ($returnto) { $url = common_local_url($returnto, array('nickname' => $user->nickname)); |