old behaviour restored

[friendica.git] / include / security.php

diff --git a/include/security.php b/include/security.php
index af424df26c65c6122ff76a2070c936b426cdc46d..70896992d94b4abfa24b4c79bfc9da1cf94ba76f 100644 (file)
--- a/include/security.php
+++ b/include/security.php
@@ -299,8 +299,9 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null)
                        $gs = '<<>>'; // should be impossible to match
 
                        if (is_array($groups) && count($groups)) {
-                               foreach ($groups as $g)
+                               foreach ($groups as $g) {
                                        $gs .= '|<' . intval($g) . '>';
+                               }
                        }
 
                        $sql = sprintf(
@@ -405,12 +406,21 @@ function get_form_security_token($typename = '')
 
 function check_form_security_token($typename = '', $formname = 'form_security_token')
 {
-       if (!x($_REQUEST, $formname)) {
-               return false;
+       $hash = null;
+
+       if (!empty($_REQUEST[$formname])) {
+               /// @TODO Careful, not secured!
+               $hash = $_REQUEST[$formname];
        }
 
-       /// @TODO Careful, not secured!
-       $hash = $_REQUEST[$formname];
+       if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) {
+               /// @TODO Careful, not secured!
+               $hash = $_SERVER['HTTP_X_CSRF_TOKEN'];
+       }
+
+       if (empty($hash)) {
+               return false;
+       }
 
        $max_livetime = 10800; // 3 hours