diff options
Diffstat (limited to 'app/FreshRSS.php')
| -rw-r--r-- | app/FreshRSS.php | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php index ecf13e4cf..8f614c538 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -68,9 +68,12 @@ class FreshRSS extends Minz_FrontController { ' [HTTP_REFERER=' . htmlspecialchars($http_referer, ENT_NOQUOTES, 'UTF-8') . ']' ))); } - if ((!FreshRSS_Auth::isCsrfOk()) && - (Minz_Request::controllerName() !== 'auth' || Minz_Request::actionName() !== 'login')) { - // Token-based protection against XSRF attacks, except for the login form itself + if (!(FreshRSS_Auth::isCsrfOk() || + (Minz_Request::controllerName() === 'auth' && Minz_Request::actionName() === 'login') || + (Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' && + !FreshRSS_Auth::hasAccess('admin')) + )) { + // Token-based protection against XSRF attacks, except for the login or self-create user forms Minz_Translate::init('en'); //TODO: Better choice of fallback language Minz_Error::error(403, array('error' => array( _t('feedback.access.denied'), |