CSRF protection for invites.php

darcs-hash:20080829045441-7b5ce-a1382496d8d6b043a1a72c0fb32051f1b43163c8.gz

diff --git a/actions/invite.php b/actions/invite.php
index 8b4346ca90b9ac8beaae1b4b8b464be75592fc91..c7d92085c163faff7999baba8f08186e6ae79e35 100644 (file)
--- a/actions/invite.php
+++ b/actions/invite.php
@@ -40,6 +40,13 @@ class InviteAction extends Action {
 
        function send_invitations() {
 
+               # CSRF protection
+               $token = $this->trimmed('token');
+               if (!$token || $token != common_session_token()) {
+                       $this->show_form(_('There was a problem with your session token. Try again, please.'));
+                       return;
+               }
+
                $user = common_current_user();
                $profile = $user->getProfile();
 
@@ -125,6 +132,7 @@ class InviteAction extends Action {
                common_element_start('form', array('method' => 'post',
                                                                                   'id' => 'invite',
                                                                                   'action' => common_local_url('invite')));
+               common_hidden('token', common_session_token());
 
                common_textarea('addresses', _('Email addresses'),
                                                $this->trimmed('addresses'),