diff options
Diffstat (limited to 'modules/luci-lua-runtime/luasrc/dispatcher.lua')
| -rw-r--r-- | modules/luci-lua-runtime/luasrc/dispatcher.lua | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/modules/luci-lua-runtime/luasrc/dispatcher.lua b/modules/luci-lua-runtime/luasrc/dispatcher.lua index dfbb225f0e..bbe7600c44 100644 --- a/modules/luci-lua-runtime/luasrc/dispatcher.lua +++ b/modules/luci-lua-runtime/luasrc/dispatcher.lua @@ -360,6 +360,22 @@ function render_lua_template(path) tpl.render(path, getfenv(1)) end +function test_post_security() + if http:getenv("REQUEST_METHOD") ~= "POST" then + http:status(405, "Method Not Allowed") + http:header("Allow", "POST") + return false + end + + if http:formvalue("token") ~= context.authtoken then + http:status(403, "Forbidden") + _G.L.include("csrftoken") + return false + end + + return true +end + function call(name, ...) return { @@ -370,16 +386,20 @@ function call(name, ...) } end -function post(name, ...) +function post_on(params, name, ...) return { ["type"] = "call", ["module"] = __controller, ["function"] = name, ["parameters"] = select('#', ...) > 0 and {...} or nil, - ["post"] = true + ["post"] = params } end +function post(...) + return post_on(true, ...) +end + function view(name) return { ["type"] = "view", |