use csrf protection correctly, fixes #4545

Closes #4545 Merge request studip/studip!3341
author: Jan-Hendrik Willms <tleilax+studip@gmail.com> 2024-08-29 14:38:15 +0000
committer: Jan-Hendrik Willms <tleilax+github@gmail.com> 2024-08-30 14:53:58 +0200
commit: 03c5927fa48eb86f44042a12c4d8cfb9eb7e41f3 (patch)
tree: 3015bdf4c0f3a54b6104c0ac556c0f05f383da5e /app/controllers/course/wiki.php
parent: 4435f2a99b3d7d24a3957c9e9e25eb9ca9667e2a (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/app/controllers/course/wiki.php b/app/controllers/course/wiki.php
index ac997e8..970ea46 100644
--- a/app/controllers/course/wiki.php
+++ b/app/controllers/course/wiki.php
@@ -299,9 +299,12 @@ class Course_WikiController extends AuthenticatedController
 
     public function delete_action(WikiPage $page)
     {
-        if (!Request::isPost() || !$page->isEditable() || !CSRFProtection::verifyRequest()) {
+        CSRFProtection::verifyUnsafeRequest();
+
+        if (!$page->isEditable()) {
             throw new AccessDeniedException();
         }
+
         $name = $page->name;
         $page->delete();
         PageLayout::postSuccess(sprintf(_('Die Seite %s wurde gelöscht.'), htmlReady($name)));
@@ -310,7 +313,9 @@ class Course_WikiController extends AuthenticatedController
 
     public function deleteversion_action(WikiPage $page)
     {
-        if (!Request::isPost() || !$page->isEditable() || !CSRFProtection::verifyRequest()) {
+        CSRFProtection::verifyUnsafeRequest();
+
+        if (!$page->isEditable()) {
             throw new AccessDeniedException();
         }
author	Jan-Hendrik Willms <tleilax+studip@gmail.com>	2024-08-29 14:38:15 +0000
committer	Jan-Hendrik Willms <tleilax+github@gmail.com>	2024-08-30 14:53:58 +0200
commit	03c5927fa48eb86f44042a12c4d8cfb9eb7e41f3 (patch)
tree	3015bdf4c0f3a54b6104c0ac556c0f05f383da5e /app/controllers/course/wiki.php
parent	4435f2a99b3d7d24a3957c9e9e25eb9ca9667e2a (diff)