ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

more the csrf to before actions.php

pull/1857/head
Isaac Connor 2017-03-29 10:19:00 -04:00
parent 8bb9ba7bea
commit 35067211e0
1 changed files with 8 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
web/index.php
View File

@ -150,16 +150,6 @@ require_once( 'includes/csrf/csrf-magic.php' );
# Running is global but only do the daemonCheck if it is actually needed # Running is global but only do the daemonCheck if it is actually needed
$running = null; $running = null;
#= daemonCheck();
#$states = dbFetchAll( 'SELECT * FROM States' );
#foreach ( $states as $state ) {
#if ( $state['IsActive'] == 1 ) {
#$run_state = $state['Name'];
#break;
#}
#}
#$status = $running?translate('Running'):translate('Stopped');
#$run_state = dbFetchOne('SELECT Name FROM States WHERE IsActive = 1', 'Name' );
# Add Cross domain access headers # Add Cross domain access headers
CORSHeaders(); CORSHeaders();
@ -192,13 +182,6 @@ if ( ZM_OPT_USE_AUTH && ZM_AUTH_HASH_LOGINS ) {
if ( isset($_REQUEST['action']) ) { if ( isset($_REQUEST['action']) ) {
$action = detaintPath($_REQUEST['action']); $action = detaintPath($_REQUEST['action']);
} }
# Need to include actions because it does auth
require_once( 'includes/actions.php' );
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
if ( ZM_OPT_USE_AUTH && ! isset($user) && $view != 'login' ) {
$view = 'login';
}
# The only variable we really need to set is action. The others are informal. # The only variable we really need to set is action. The others are informal.
isset($view) || $view = NULL; isset($view) || $view = NULL;
@ -210,6 +193,14 @@ if ( ZM_ENABLE_CSRF_MAGIC && $action != 'login' ) {
csrf_check(); csrf_check();
} }
# Need to include actions because it does auth
require_once( 'includes/actions.php' );
# If I put this here, it protects all views and popups, but it has to go after actions.php because actions.php does the actual logging in.
if ( ZM_OPT_USE_AUTH && ! isset($user) && $view != 'login' ) {
$view = 'login';
}
# Only one request can open the session file at a time, so let's close the session here to improve concurrency. # Only one request can open the session file at a time, so let's close the session here to improve concurrency.
# Any file/page that sets session variables must re-open it. # Any file/page that sets session variables must re-open it.
session_write_close(); session_write_close();