From c5098263b36fe608e9fd55ca5c87718dd6f8e32c Mon Sep 17 00:00:00 2001 From: swaggboi Date: Thu, 15 Aug 2024 21:25:12 -0400 Subject: [PATCH] CSRF validation for mod/admin actions --- lib/PostText/Controller/Moderator.pm | 63 ++++++++++++++++++++++++---- 1 file changed, 56 insertions(+), 7 deletions(-) diff --git a/lib/PostText/Controller/Moderator.pm b/lib/PostText/Controller/Moderator.pm index 9730559..b560207 100644 --- a/lib/PostText/Controller/Moderator.pm +++ b/lib/PostText/Controller/Moderator.pm @@ -160,8 +160,15 @@ sub create($self) { $v->required('name' )->size(1, 64); $v->required('email' )->size(6, 320); $v->required('password')->size(12, undef); + $v->csrf_protect; - if ($v->has_error) { + if ($v->has_error('csrf_token')) { + $self->stash( + status => 403, + error => 'Something went wrong, please try again. 🥺' + ) + } + elsif ($v->has_error) { $self->stash(status => 400) } else { @@ -185,8 +192,15 @@ sub admin_reset($self) { if ($v && $v->has_data) { $v->required('email' )->size(6, 320); $v->required('password')->size(12, undef); + $v->csrf_protect; - if ($v->has_error) { + if ($v->has_error('csrf_token')) { + $self->stash( + status => 403, + error => 'Something went wrong, please try again. 🥺' + ) + } + elsif ($v->has_error) { $self->stash(status => 400) } else { @@ -208,8 +222,15 @@ sub mod_reset($self) { if ($v && $v->has_data) { $v->required('password')->size(12, undef); + $v->csrf_protect; - if ($v->has_error) { + if ($v->has_error('csrf_token')) { + $self->stash( + status => 403, + error => 'Something went wrong, please try again. 🥺' + ) + } + elsif ($v->has_error) { $self->stash(status => 400) } else { @@ -233,8 +254,15 @@ sub lock_acct($self) { if ($v && $v->has_data) { $v->required('email')->size(6, 320); + $v->csrf_protect; - if ($v->has_error) { + if ($v->has_error('csrf_token')) { + $self->stash( + status => 403, + error => 'Something went wrong, please try again. 🥺' + ) + } + elsif ($v->has_error) { $self->stash(status => 400) } else { @@ -255,8 +283,15 @@ sub unlock_acct($self) { if ($v && $v->has_data) { $v->required('email')->size(6, 320); + $v->csrf_protect; - if ($v->has_error) { + if ($v->has_error('csrf_token')) { + $self->stash( + status => 403, + error => 'Something went wrong, please try again. 🥺' + ) + } + elsif ($v->has_error) { $self->stash(status => 400) } else { @@ -277,8 +312,15 @@ sub promote($self) { if ($v && $v->has_data) { $v->required('email')->size(6, 320); + $v->csrf_protect; - if ($v->has_error) { + if ($v->has_error('csrf_token')) { + $self->stash( + status => 403, + error => 'Something went wrong, please try again. 🥺' + ) + } + elsif ($v->has_error) { $self->stash(status => 400) } else { @@ -299,8 +341,15 @@ sub demote($self) { if ($v && $v->has_data) { $v->required('email')->size(6, 320); + $v->csrf_protect; - if ($v->has_error) { + if ($v->has_error('csrf_token')) { + $self->stash( + status => 403, + error => 'Something went wrong, please try again. 🥺' + ) + } + elsif ($v->has_error) { $self->stash(status => 400) } else {