diff --git a/README.md b/README.md index 9bb1e8e..15c8279 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ Kritbit is designed to be simple and flexible. It makes no assumptions about you # Authentication/Authorization -Each user logs in using OAuth (see below for setup) and can only edit jobs that they have created (there are no groups or way of "granting" permission). A job history can have a flag to allow anonymous users to view the history. However, kritbit does not censor the output so be careful allowing people to view history of jobs that may contain sensitive information. +Each user logs in using OAuth (see below for setup) and can only edit jobs that they have created (there are no groups or way of "granting" permission). A user MUST be pre-registered into the users table otherwise they will not be able to login and create jobs (this is done to prevent abuse - though you can easily change this behavior). A job history can have a flag to allow anonymous users to view the history. However, kritbit does not censor the output so be careful allowing people to view history of jobs that may contain sensitive information. # Install diff --git a/web/application/controllers/base.php b/web/application/controllers/base.php index eceae89..8ebd738 100644 --- a/web/application/controllers/base.php +++ b/web/application/controllers/base.php @@ -116,5 +116,12 @@ abstract class base extends \system\engine\HF_Controller { if ($this->loginRequired && !$this->user) { $this->login(); } + + + if (isset($_POST["csrfmiddlewaretoken"])) { + if ($_POST["csrfmiddlewaretoken"] != $_COOKIE["csrftoken"]) { + throw new \Exception("CSRF tokens did not match"); + } + } } } \ No newline at end of file diff --git a/web/application/views/add.html b/web/application/views/add.html index b98263d..912e484 100644 --- a/web/application/views/add.html +++ b/web/application/views/add.html @@ -7,7 +7,7 @@
- + {% csrf_token %}