From caeeeb52cafe105c157f838397ade70bc8609900 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 21 Jul 2019 11:05:51 +0200
Subject: Fix user self registration (#2442)

* Fix user self registration

Fix https://github.com/FreshRSS/FreshRSS/issues/2381

* CSRF for admin
---
 app/FreshRSS.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'app')

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index ecf13e4cf..8f614c538 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -68,9 +68,12 @@ class FreshRSS extends Minz_FrontController {
 						' [HTTP_REFERER=' . htmlspecialchars($http_referer, ENT_NOQUOTES, 'UTF-8') . ']'
 					)));
 			}
-			if ((!FreshRSS_Auth::isCsrfOk()) &&
-				(Minz_Request::controllerName() !== 'auth' || Minz_Request::actionName() !== 'login')) {
-				// Token-based protection against XSRF attacks, except for the login form itself
+			if (!(FreshRSS_Auth::isCsrfOk() ||
+				(Minz_Request::controllerName() === 'auth' && Minz_Request::actionName() === 'login') ||
+				(Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' &&
+					!FreshRSS_Auth::hasAccess('admin'))
+				)) {
+				// Token-based protection against XSRF attacks, except for the login or self-create user forms
 				Minz_Translate::init('en');	//TODO: Better choice of fallback language
 				Minz_Error::error(403, array('error' => array(
 						_t('feedback.access.denied'),
-- 
cgit v1.2.3