use csrf protection correctly, fixes #4545

Closes #4545 Merge request studip/studip!3341
author: Jan-Hendrik Willms <tleilax+studip@gmail.com> 2024-08-29 14:38:15 +0000
committer: Jan-Hendrik Willms <tleilax+studip@gmail.com> 2024-08-29 14:38:15 +0000
commit: c5bdbd16af8a4b1f2dec09a47c31cd5d2d240264 (patch)
tree: 15179224d934fb19c48a7470dd209df7a7e601c6 /app/controllers/course/wiki.php
parent: bb5c21dcd0cf9ebb25c3dbbaf7094f55cda08466 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/app/controllers/course/wiki.php b/app/controllers/course/wiki.php
index cf87b08..647ab8a 100644
--- a/app/controllers/course/wiki.php
+++ b/app/controllers/course/wiki.php
@@ -299,9 +299,12 @@ class Course_WikiController extends AuthenticatedController
 
     public function delete_action(WikiPage $page)
     {
-        if (!Request::isPost() || !$page->isEditable() || !CSRFProtection::verifyRequest()) {
+        CSRFProtection::verifyUnsafeRequest();
+
+        if (!$page->isEditable()) {
             throw new AccessDeniedException();
         }
+
         $name = $page->name;
         $page->delete();
         PageLayout::postSuccess(sprintf(_('Die Seite %s wurde gelöscht.'), htmlReady($name)));
@@ -310,7 +313,9 @@ class Course_WikiController extends AuthenticatedController
 
     public function deleteversion_action(WikiPage $page)
     {
-        if (!Request::isPost() || !$page->isEditable() || !CSRFProtection::verifyRequest()) {
+        CSRFProtection::verifyUnsafeRequest();
+
+        if (!$page->isEditable()) {
             throw new AccessDeniedException();
         }
author	Jan-Hendrik Willms <tleilax+studip@gmail.com>	2024-08-29 14:38:15 +0000
committer	Jan-Hendrik Willms <tleilax+studip@gmail.com>	2024-08-29 14:38:15 +0000
commit	c5bdbd16af8a4b1f2dec09a47c31cd5d2d240264 (patch)
tree	15179224d934fb19c48a7470dd209df7a7e601c6 /app/controllers/course/wiki.php
parent	bb5c21dcd0cf9ebb25c3dbbaf7094f55cda08466 (diff)