Fix user self registration (#2442)

* Fix user self registration Fix https://github.com/FreshRSS/FreshRSS/issues/2381 * CSRF for admin
author: Alexandre Alapetite <alexandre@alapetite.fr> 2019-07-21 11:05:51 +0200
committer: GitHub <noreply@github.com> 2019-07-21 11:05:51 +0200
commit: caeeeb52cafe105c157f838397ade70bc8609900 (patch)
tree: 4c647a1d9f596d3db40019fcfa87df647653a1dc /app
parent: 1aa2af9752f7c1cb3a5753156900fc33bf9f2d2c (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index ecf13e4cf..8f614c538 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -68,9 +68,12 @@ class FreshRSS extends Minz_FrontController {
 						' [HTTP_REFERER=' . htmlspecialchars($http_referer, ENT_NOQUOTES, 'UTF-8') . ']'
 					)));
 			}
-			if ((!FreshRSS_Auth::isCsrfOk()) &&
-				(Minz_Request::controllerName() !== 'auth' || Minz_Request::actionName() !== 'login')) {
-				// Token-based protection against XSRF attacks, except for the login form itself
+			if (!(FreshRSS_Auth::isCsrfOk() ||
+				(Minz_Request::controllerName() === 'auth' && Minz_Request::actionName() === 'login') ||
+				(Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' &&
+					!FreshRSS_Auth::hasAccess('admin'))
+				)) {
+				// Token-based protection against XSRF attacks, except for the login or self-create user forms
 				Minz_Translate::init('en');	//TODO: Better choice of fallback language
 				Minz_Error::error(403, array('error' => array(
 						_t('feedback.access.denied'),
author	Alexandre Alapetite <alexandre@alapetite.fr>	2019-07-21 11:05:51 +0200
committer	GitHub <noreply@github.com>	2019-07-21 11:05:51 +0200
commit	caeeeb52cafe105c157f838397ade70bc8609900 (patch)
tree	4c647a1d9f596d3db40019fcfa87df647653a1dc /app
parent	1aa2af9752f7c1cb3a5753156900fc33bf9f2d2c (diff)