From df97eaac223e8e3c1cbd6f1474bc72a9ace9d51e Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Wed, 27 May 2009 13:22:43 +0200
Subject: [PATCH] Don't check for CSRF attacks when no user is logged in
 FS#1619

Ignore-this: 3ef4fafa34a7bbba76435b5db6935b57

There is no need to fight against a privilege stealing attack when the
attacked user has no privileges.

Skipping the check reenables editing without cookies again.

darcs-hash:20090527112243-7ad00-c1acd3161ececf3d922d5842033cb7d3f1910a16.gz
---
 inc/common.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/inc/common.php b/inc/common.php
index c056e8f31..dfc563b7f 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -68,6 +68,8 @@ function getSecurityToken(){
  * Check the secret CSRF token
  */
 function checkSecurityToken($token=null){
+  if(!$_SERVER['REMOTE_USER']) return true; // no logged in user, no need for a check
+
   if(is_null($token)) $token = $_REQUEST['sectok'];
   if(getSecurityToken() != $token){
     msg('Security Token did not match. Possible CSRF attack.',-1);
-- 
GitLab