X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=actions%2Fuserauthorization.php;h=6208113981d313ec4e87c8570c018ab05f58b3cb;hb=2dc50d7e3768548c78f095903388d53a5bee373f;hp=8059c3106b8e4051ca5de01372cab3cbc57fc8b7;hpb=ea40dabb392aec3d7b9da666285969bb296a94e2;p=quix0rs-gnu-social.git

diff --git a/actions/userauthorization.php b/actions/userauthorization.php
index 8059c3106b..6208113981 100644
--- a/actions/userauthorization.php
+++ b/actions/userauthorization.php
@@ -23,11 +23,18 @@ require_once(INSTALLDIR.'/lib/omb.php');
 define('TIMESTAMP_THRESHOLD', 300);
 
 class UserauthorizationAction extends Action {
-	
+
 	function handle($args) {
 		parent::handle($args);
 
 		if ($_SERVER['REQUEST_METHOD'] == 'POST') {
+			# CSRF protection
+			$token = $this->trimmed('token');
+			if (!$token || $token != common_session_token()) {
+				$req = $this->get_stored_request();
+				$this->show_form(_('There was a problem with your session token. Try again, please.'), $req);
+				return;
+			}
 			# We've shown the form, now post user's choice
 			$this->send_authorization();
 		} else {
@@ -116,6 +123,7 @@ class UserauthorizationAction extends Action {
 										   'id' => 'userauthorization',
 										   'name' => 'userauthorization',
 										   'action' => common_local_url('userauthorization')));
+		common_hidden('token', common_session_token());
 		common_submit('accept', _('Accept'));
 		common_submit('reject', _('Reject'));
 		common_element_end('form');