Closes #327: Thanks for the pointer. In the end I modified the fix from the patch you sent, it still uses get but the generated token should make a CSRF attack much harder.

git-svn-id: https://code.elgg.org/elgg/trunk@2057 36083f99-b078-4883-b0ff-0f9b5a30f544
author: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> 2008-09-06 22:39:07 +0000
committer: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544> 2008-09-06 22:39:07 +0000
commit: 4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9 (patch)
tree: a3c668c9c6bc883bb0699632e4d2ab75a698a7a1 /actions/admin
parent: f918ca09cec807801521059bac987793b3685139 (diff)
download: elgg-4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9.tar.gz
elgg-4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9.tar.bz2
2 files changed, 6 insertions, 0 deletions
diff --git a/actions/admin/plugins/disable.php b/actions/admin/plugins/disable.php
index 355fd2b52..b41a7603e 100644
--- a/actions/admin/plugins/disable.php
+++ b/actions/admin/plugins/disable.php
@@ -15,6 +15,9 @@
 	// block non-admin users
 	admin_gatekeeper();
 	
+	// Validate the action
+	action_gatekeeper();
+	
 	// Get the user 
 	$plugin = get_input('plugin');
 	
diff --git a/actions/admin/plugins/enable.php b/actions/admin/plugins/enable.php
index b13755327..537079112 100644
--- a/actions/admin/plugins/enable.php
+++ b/actions/admin/plugins/enable.php
@@ -15,6 +15,9 @@
 	// block non-admin users
 	admin_gatekeeper();
 	
+	// Validate the action
+	action_gatekeeper();
+	
 	// Get the user 
 	$plugin = get_input('plugin');
author	marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>	2008-09-06 22:39:07 +0000
committer	marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>	2008-09-06 22:39:07 +0000
commit	4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9 (patch)
tree	a3c668c9c6bc883bb0699632e4d2ab75a698a7a1 /actions/admin
parent	f918ca09cec807801521059bac987793b3685139 (diff)
download	elgg-4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9.tar.gz elgg-4904ed24816685ab2df1e9fe88e5f2cbb0b4e9f9.tar.bz2