summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-lua-runtime/luasrc
diff options
context:
space:
mode:
Diffstat (limited to 'modules/luci-lua-runtime/luasrc')
-rw-r--r--modules/luci-lua-runtime/luasrc/dispatcher.lua24
1 files changed, 22 insertions, 2 deletions
diff --git a/modules/luci-lua-runtime/luasrc/dispatcher.lua b/modules/luci-lua-runtime/luasrc/dispatcher.lua
index dfbb225f0e..bbe7600c44 100644
--- a/modules/luci-lua-runtime/luasrc/dispatcher.lua
+++ b/modules/luci-lua-runtime/luasrc/dispatcher.lua
@@ -360,6 +360,22 @@ function render_lua_template(path)
tpl.render(path, getfenv(1))
end
+function test_post_security()
+ if http:getenv("REQUEST_METHOD") ~= "POST" then
+ http:status(405, "Method Not Allowed")
+ http:header("Allow", "POST")
+ return false
+ end
+
+ if http:formvalue("token") ~= context.authtoken then
+ http:status(403, "Forbidden")
+ _G.L.include("csrftoken")
+ return false
+ end
+
+ return true
+end
+
function call(name, ...)
return {
@@ -370,16 +386,20 @@ function call(name, ...)
}
end
-function post(name, ...)
+function post_on(params, name, ...)
return {
["type"] = "call",
["module"] = __controller,
["function"] = name,
["parameters"] = select('#', ...) > 0 and {...} or nil,
- ["post"] = true
+ ["post"] = params
}
end
+function post(...)
+ return post_on(true, ...)
+end
+
function view(name)
return {
["type"] = "view",