mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-26 15:30:58 +01:00
Refine error messages for CSRF exceptions
Summary: See T489. Provide slightly more detail so we can figure out if there's a real issue here. Test Plan: Hit URIs like: /differential/comment/preview/29/ /differential/comment/preview/29/?__ajax__=1 /differential/comment/preview/29/?__csrf__=1 ..and got appropriate error messages. Reviewers: jungejason Reviewed By: jungejason CC: aran, jungejason Differential Revision: 884
This commit is contained in:
parent
83f1140785
commit
c2fef51b3d
1 changed files with 18 additions and 1 deletions
|
@ -145,6 +145,22 @@ class AphrontRequest {
|
||||||
|
|
||||||
$valid = $this->getUser()->validateCSRFToken($token);
|
$valid = $this->getUser()->validateCSRFToken($token);
|
||||||
if (!$valid) {
|
if (!$valid) {
|
||||||
|
|
||||||
|
// Add some diagnostic details so we can figure out if some CSRF issues
|
||||||
|
// are JS problems or people accessing Ajax URIs directly with their
|
||||||
|
// browsers.
|
||||||
|
if ($token) {
|
||||||
|
$token_info = "with an invalid CSRF token";
|
||||||
|
} else {
|
||||||
|
$token_info = "without a CSRF token";
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($this->isAjax()) {
|
||||||
|
$more_info = "(This was an Ajax request, {$token_info}.)";
|
||||||
|
} else {
|
||||||
|
$more_info = "(This was a web request, {$token_info}.)";
|
||||||
|
}
|
||||||
|
|
||||||
// This should only be able to happen if you load a form, pull your
|
// This should only be able to happen if you load a form, pull your
|
||||||
// internet for 6 hours, and then reconnect and immediately submit,
|
// internet for 6 hours, and then reconnect and immediately submit,
|
||||||
// but give the user some indication of what happened since the workflow
|
// but give the user some indication of what happened since the workflow
|
||||||
|
@ -155,7 +171,8 @@ class AphrontRequest {
|
||||||
"certain type of login hijacking attack. However, the token can ".
|
"certain type of login hijacking attack. However, the token can ".
|
||||||
"become invalid if you leave a page open for more than six hours ".
|
"become invalid if you leave a page open for more than six hours ".
|
||||||
"without a connection to the internet. To fix this problem: reload ".
|
"without a connection to the internet. To fix this problem: reload ".
|
||||||
"the page, and then resubmit it.");
|
"the page, and then resubmit it.\n\n".
|
||||||
|
$more_info);
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
|
Loading…
Reference in a new issue