Add csrf token on routes.

Signed-off-by: crynobone <[email protected]>
orchestral · Nov 13, 2014 · 4c7d61f · 4c7d61f
1 parent 9b50320
commit 4c7d61f
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 2 deletions.
diff --git a/src/Control/Routing/AclController.php b/src/Control/Routing/AclController.php
@@ -29,6 +29,9 @@ public function __construct(AclProcessor $processor)
     protected function setupFilters()
     {
         $this->beforeFilter('control.manage:acl');
+        $this->beforeFilter('orchestra.csrf', array(
+            'only' => array('postIndex', 'getSync'),
+        ));
     }
 
     /**

diff --git a/src/Control/Routing/RolesController.php b/src/Control/Routing/RolesController.php
@@ -28,6 +28,9 @@ public function __construct(RoleProcessor $processor)
     protected function setupFilters()
     {
         $this->beforeFilter('control.manage:roles');
+        $this->beforeFilter('orchestra.csrf', array(
+            'on' => array('post', 'put', 'delete'),
+        ));
     }
 
     /**

diff --git a/src/Control/Routing/ThemesController.php b/src/Control/Routing/ThemesController.php
@@ -27,6 +27,9 @@ public function __construct(ThemeProcessor $processor)
     protected function setupFilters()
     {
         $this->beforeFilter('control.manage:acl');
+        $this->beforeFilter('orchestra.csrf', array(
+            'only' => array('getActivate'),
+        ));
     }
 
     /**

diff --git a/src/views/acl/index.blade.php b/src/views/acl/index.blade.php
@@ -42,7 +42,7 @@
     <div class="row">
         <div class="twelve columns">
             <button type="submit" class="btn btn-primary">{{ trans('orchestra/foundation::label.submit') }}</button>
-            <a href="{{ resources("control.acl/sync/{$id}") }}" class="btn btn-link">
+            <a href="{{ resources("control.acl/sync/{$id}", array('csrf' => true)) }}" class="btn btn-link">
                 {{ trans('orchestra/control::label.sync-roles') }}
             </a>
         </div>

diff --git a/src/views/themes/_list.blade.php b/src/views/themes/_list.blade.php
@@ -9,7 +9,7 @@
             {{ trans('orchestra/control::label.themes.current') }}
         </button>
     @else
-        <a href="{{ resources("control.themes/activate/{$type}/{$id}") }}" class="btn btn-block btn-primary">
+        <a href="{{ resources("control.themes/activate/{$type}/{$id}", array('csrf' => true)) }}" class="btn btn-block btn-primary">
             {{ trans('orchestra/control::label.themes.activate') }}
         </a>
     @endif