From: Jo-Philipp Wich Date: Thu, 22 Oct 2015 06:30:29 +0000 (+0200) Subject: luci-base: dispatcher expose test_post_security() X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=d32c68503994d46aa71473a647118b431119ae2a;p=project%2Fluci.git luci-base: dispatcher expose test_post_security() Allows external code to perform POST and token checking manually. Signed-off-by: Jo-Philipp Wich --- diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index 6742a0b33d..cd5d77a12b 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -172,6 +172,22 @@ local function require_post_security(target) return false end +function test_post_security() + if http.getenv("REQUEST_METHOD") ~= "POST" then + http.status(405, "Method Not Allowed") + http.header("Allow", "POST") + return false + end + + if http.formvalue("token") ~= context.authtoken then + http.status(403, "Forbidden") + luci.template.render("csrftoken") + return false + end + + return true +end + function dispatch(request) --context._disable_memtrace = require "luci.debug".trap_memtrace("l") local ctx = context @@ -376,15 +392,7 @@ function dispatch(request) end if c and require_post_security(c.target) then - if http.getenv("REQUEST_METHOD") ~= "POST" then - http.status(405, "Method Not Allowed") - http.header("Allow", "POST") - return - end - - if http.formvalue("token") ~= ctx.authtoken then - http.status(403, "Forbidden") - luci.template.render("csrftoken") + if not test_post_security(c) then return end end