Merge pull request #2451 from FreshRSS/dev1.14.3

FreshRSS 1.14.3
author: Alexandre Alapetite <alexandre@alapetite.fr> 2019-07-25 16:51:48 +0200
committer: GitHub <noreply@github.com> 2019-07-25 16:51:48 +0200
commit: 82611c9622ed23b0e9fcf5f9f651ddffa1fd7706 (patch)
tree: fc2c97fd8dd84ec30473cb85b889d8326c9a831a /app/FreshRSS.php
parent: 744a9e8cf00aef7dec0acfa5f90f0dcfa2ef8837 (diff)
parent: 042b40eeeea77db854daab1bec96fce5c2cdd4b2 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index ecf13e4cf..8f614c538 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -68,9 +68,12 @@ class FreshRSS extends Minz_FrontController {
 						' [HTTP_REFERER=' . htmlspecialchars($http_referer, ENT_NOQUOTES, 'UTF-8') . ']'
 					)));
 			}
-			if ((!FreshRSS_Auth::isCsrfOk()) &&
-				(Minz_Request::controllerName() !== 'auth' || Minz_Request::actionName() !== 'login')) {
-				// Token-based protection against XSRF attacks, except for the login form itself
+			if (!(FreshRSS_Auth::isCsrfOk() ||
+				(Minz_Request::controllerName() === 'auth' && Minz_Request::actionName() === 'login') ||
+				(Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' &&
+					!FreshRSS_Auth::hasAccess('admin'))
+				)) {
+				// Token-based protection against XSRF attacks, except for the login or self-create user forms
 				Minz_Translate::init('en');	//TODO: Better choice of fallback language
 				Minz_Error::error(403, array('error' => array(
 						_t('feedback.access.denied'),
author	Alexandre Alapetite <alexandre@alapetite.fr>	2019-07-25 16:51:48 +0200
committer	GitHub <noreply@github.com>	2019-07-25 16:51:48 +0200
commit	82611c9622ed23b0e9fcf5f9f651ddffa1fd7706 (patch)
tree	fc2c97fd8dd84ec30473cb85b889d8326c9a831a /app/FreshRSS.php
parent	744a9e8cf00aef7dec0acfa5f90f0dcfa2ef8837 (diff)
parent	042b40eeeea77db854daab1bec96fce5c2cdd4b2 (diff)