X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Fopenidlogin.php;h=b066b9aa4ecdb349381d1e0c4fbd38e7aa7b563b;hb=2e239e3fbb4b8b8bc837f32ee750c9cbf266f246;hp=fa04d457659e77fee59eca2e2a232d2a1bc11f8c;hpb=23c0b1f48241e198a631f333a3d6e5faedab0279;p=quix0rs-gnu-social.git

diff --git a/actions/openidlogin.php b/actions/openidlogin.php
index fa04d45765..b066b9aa4e 100644
--- a/actions/openidlogin.php
+++ b/actions/openidlogin.php
@@ -26,30 +26,55 @@ class OpenidloginAction extends Action {
 	function handle($args) {
 		parent::handle($args);
 		if (common_logged_in()) {
-			common_user_error(_t('Already logged in.'));
+			common_user_error(_('Already logged in.'));
 		} else if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-			$result = oid_authenticate($this->trimmed('openid_url'), 'finishopenidlogin');
+			$openid_url = $this->trimmed('openid_url');
+
+			# CSRF protection
+			$token = $this->trimmed('token');
+			if (!$token || $token != common_session_token()) {
+				$this->show_form(_('There was a problem with your session token. Try again, please.'), $openid_url);
+				return;
+			}
+
+			$result = oid_authenticate($openid_url,
+									   'finishopenidlogin');
 			if (is_string($result)) { # error message
-				$this->show_form($result);
+				$this->show_form($result, $openid_url);
 			}
 		} else {
-			$this->show_form();
+			$openid_url = oid_get_last();
+			$this->show_form(NULL, $openid_url);
 		}
 	}
 
-	function show_form($error=NULL) {
-		common_show_header(_t('OpenID Login'));
+	function get_instructions() {
+		return _('Login with an [OpenID](%%doc.openid%%) account.');
+	}
+
+	function show_top($error=NULL) {
 		if ($error) {
 			common_element('div', array('class' => 'error'), $error);
 		} else {
-			common_element('div', 'instructions',
-						   _t('Login with an OpenID account.'));
+			$instr = $this->get_instructions();
+			$output = common_markup_to_html($instr);
+			common_element_start('div', 'instructions');
+			common_raw($output);
+			common_element_end('div');
 		}
-		common_element_start('form', array('method' => 'POST',
+	}
+
+	function show_form($error=NULL, $openid_url) {
+		common_show_header(_('OpenID Login'), NULL, $error, array($this, 'show_top'));
+		$formaction = common_local_url('openidlogin');
+		common_element_start('form', array('method' => 'post',
 										   'id' => 'openidlogin',
-										   'action' => common_local_url('openidlogin')));
-		common_input('openid_url', _t('OpenID URL'));
-		common_submit('submit', _t('Login'));
+										   'action' => $formaction));
+		common_hidden('token', common_session_token());
+		common_input('openid_url', _('OpenID URL'),
+					 $openid_url,
+					 _('Your OpenID URL'));
+		common_submit('submit', _('Login'));
 		common_element_end('form');
 		common_show_footer();
 	}