Actually check CSRF on Password and LDAP forms

Summary: Ref T4339. We didn't previously check `isFormPost()` on these, but now should.

Test Plan: Changed csrf token on login, got kicked out.

Reviewers: btrahan, chad

Reviewed By: chad

CC: aran

Maniphest Tasks: T4339

Differential Revision: https://secure.phabricator.com/D8051

src/applications/auth/provider/PhabricatorAuthProviderLDAP.php

@@ -150,6 +150,7 @@ final class PhabricatorAuthProviderLDAP
       return array($account, $response);
     }
 
+    if ($request->isFormPost()) {
       try {
         if (strlen($username) && $has_password) {
           $adapter = $this->getAdapter();
@@ -170,6 +171,7 @@ final class PhabricatorAuthProviderLDAP
         // TODO: Make this cleaner.
         throw $ex;
       }
+    }
 
     return array($this->loadOrCreateAccount($account_id), $response);
   }

src/applications/auth/provider/PhabricatorAuthProviderPassword.php

@@ -163,6 +163,7 @@ final class PhabricatorAuthProviderPassword
     $account = null;
     $log_user = null;
 
+    if ($request->isFormPost()) {
       if (!$require_captcha || $captcha_valid) {
         $username_or_email = $request->getStr('username');
         if (strlen($username_or_email)) {
@@ -171,7 +172,8 @@ final class PhabricatorAuthProviderPassword
             $username_or_email);
 
           if (!$user) {
-          $user = PhabricatorUser::loadOneWithEmailAddress($username_or_email);
+            $user = PhabricatorUser::loadOneWithEmailAddress(
+              $username_or_email);
           }
 
           if ($user) {
@@ -183,6 +185,7 @@ final class PhabricatorAuthProviderPassword
           }
         }
       }
+    }
 
     if (!$account) {
       if ($request->isFormPost()) {