]> git.mxchange.org Git - quix0rs-gnu-social.git/blobdiff - lib/apiauthaction.php
projects / quix0rs-gnu-social.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'nightly' into 'nightly'
[quix0rs-gnu-social.git] / lib / apiauthaction.php
diff --git a/lib/apiauthaction.php b/lib/apiauthaction.php
index 0e81082c35ea79a322a3dc26d92f6848074036cc..a3deccd3da0e05aa25808b6ab9296a4790d76a8d 100644 (file)
--- a/lib/apiauthaction.php
+++ b/lib/apiauthaction.php
@@ -85,8 +85,10 @@ class ApiAuthAction extends ApiAction
         // NOTE: $this->scoped and $this->auth_user has to get set in
         // prepare(), not handle(), as subclasses use them in prepares.
 
-        // Allow regular login session
-        if (common_logged_in()) {
+        // Allow regular login session, but we have to double-check the
+        // HTTP_REFERER value to avoid cross domain POSTing since the API
+        // doesn't use the "token" form field.
+        if (common_logged_in() && common_local_referer()) {
             $this->scoped = Profile::current();
             $this->auth_user = $this->scoped->getUser();
             if (!$this->auth_user->hasRight(Right::API)) {
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)