From 06c3b6e3c41c629e510c55199bd19914273b0e64 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 23 Feb 2013 14:16:29 -0500 Subject: Fixes #4997 stop requesting a token after a failed request --- engine/lib/actions.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'engine/lib/actions.php') diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 53b185dea..ac6325813 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -252,10 +252,20 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) register_error(elgg_echo('actiongatekeeper:pluginprevents')); } } else if ($visibleerrors) { - register_error(elgg_echo('actiongatekeeper:timeerror')); + // this is necessary because of #5133 + if (elgg_is_xhr()) { + register_error(elgg_echo('js:security:token_refresh_failed', array(elgg_get_site_url()))); + } else { + register_error(elgg_echo('actiongatekeeper:timeerror')); + } } } else if ($visibleerrors) { - register_error(elgg_echo('actiongatekeeper:tokeninvalid')); + // this is necessary because of #5133 + if (elgg_is_xhr()) { + register_error(elgg_echo('js:security:token_refresh_failed', array(elgg_get_site_url()))); + } else { + register_error(elgg_echo('actiongatekeeper:tokeninvalid')); + } } } else { if (! empty($_SERVER['CONTENT_LENGTH']) && empty($_POST)) { -- cgit v1.2.3 From 473b5065a21544c6d66dd82e024d4f1f0d58ff87 Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sun, 10 Mar 2013 11:47:05 -0400 Subject: require token for login --- engine/lib/actions.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'engine/lib/actions.php') diff --git a/engine/lib/actions.php b/engine/lib/actions.php index ac6325813..f78ca63df 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -65,12 +65,11 @@ function action($action, $forwarder = "") { // @todo REMOVE THESE ONCE #1509 IS IN PLACE. // Allow users to disable plugins without a token in order to // remove plugins that are incompatible. - // Login and logout are for convenience. + // Logout for convenience. // file/download (see #2010) $exceptions = array( 'admin/plugins/disable', 'logout', - 'login', 'file/download', ); -- cgit v1.2.3