From fb1a0d6d256f99159175eb245ebbb7c2055a21a6 Mon Sep 17 00:00:00 2001 From: Alex Tselegidis Date: Thu, 28 May 2015 00:12:44 +0200 Subject: [PATCH] Added POST constraint to backend_api controller. --- src/application/controllers/backend_api.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/application/controllers/backend_api.php b/src/application/controllers/backend_api.php index 60d58d49..27e02c78 100644 --- a/src/application/controllers/backend_api.php +++ b/src/application/controllers/backend_api.php @@ -9,6 +9,11 @@ class Backend_api extends CI_Controller { public function __construct() { parent::__construct(); + // All the methods in this class must be accessible through a POST request. + if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') { + $this->security->csrf_show_error(); + } + $this->load->library('session'); $this->load->model('roles_model'); $this->privileges = $this->roles_model->get_privileges($this->session->userdata('role_slug'));