Fix bug #3407728: Can't delete users from admin page

This commit is contained in:
Christian Weiske 2011-11-01 06:49:40 +01:00
parent e81599e437
commit d97b4589ad
2 changed files with 4 additions and 2 deletions

View file

@ -10,6 +10,7 @@ ChangeLog for SemantiScuttle
- Fix bug #3393951: Logo images missing on bookmark page - Fix bug #3393951: Logo images missing on bookmark page
- Fix bug #3388219: Incorrect URL when cancelling tag2tag-actions - Fix bug #3388219: Incorrect URL when cancelling tag2tag-actions
- Fix bug #3399815: PHP error in opensearch API in 0.98.3 - Fix bug #3399815: PHP error in opensearch API in 0.98.3
- Fix bug #3407728: Can't delete users from admin page
0.98.3 - 2011-08-09 0.98.3 - 2011-08-09

View file

@ -48,7 +48,8 @@ if ( !$currentUser->isAdmin() ) {
@list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL; @list($url, $action, $user) = isset($_SERVER['PATH_INFO']) ? explode('/', $_SERVER['PATH_INFO']) : NULL;
if ($action if ($action
&& (strpos($_SERVER['HTTP_REFERER'], ROOT.'admin') === 0) // Prevent CSRF attacks && (strpos($_SERVER['HTTP_REFERER'], ROOT.'admin') <= 6)
// Prevent CSRF attacks. 6 is needed for "//example.org"-root urls
) { ) {
switch ( $action ) { switch ( $action ) {
case 'delete': case 'delete':