CSRF protection for subscription/unsubscription

[quix0rs-gnu-social.git] / actions / login.php

diff --git a/actions/login.php b/actions/login.php
index 003d6613f7425f6c954341aa01fca3d35e2cbc13..aa25a0cec5fb3a179524100c5a0af15dd25290a2 100644 (file)
--- a/actions/login.php
+++ b/actions/login.php
@@ -21,6 +21,10 @@ if (!defined('LACONICA')) { exit(1); }
 
 class LoginAction extends Action {
 
+       function is_readonly() {
+               return true;
+       }
+
        function handle($args) {
                parent::handle($args);
                if (common_is_real_login()) {
@@ -109,10 +113,21 @@ class LoginAction extends Action {
        }
 
        function get_instructions() {
-               return _('Login with your username and password. ' .
-                                 'Don\'t have a username yet? ' .
-                                 '[Register](%%action.register%%) a new account, or ' .
-                                 'try [OpenID](%%action.openidlogin%%). ');
+               if (common_logged_in() &&
+                       !common_is_real_login() &&
+                       common_get_returnto())
+               {
+                       # rememberme logins have to reauthenticate before
+                       # changing any profile settings (cookie-stealing protection)
+                       return _('For security reasons, please re-enter your ' .
+                                        'user name and password ' .
+                                        'before changing your settings.');
+               } else {
+                       return _('Login with your username and password. ' .
+                                        'Don\'t have a username yet? ' .
+                                        '[Register](%%action.register%%) a new account, or ' .
+                                        'try [OpenID](%%action.openidlogin%%). ');
+               }
        }
 
        function show_top($error=NULL) {