From 7be1e3ed38baf8233b7f6733db3f57859c1b2086 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Wed, 17 Feb 2021 15:04:39 +0300
Subject: pluginhandler: reject method requests without CSRF

---
 classes/pluginhandler.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'classes/pluginhandler.php')

diff --git a/classes/pluginhandler.php b/classes/pluginhandler.php
index 3fd823aa8..a0e60b4e6 100644
--- a/classes/pluginhandler.php
+++ b/classes/pluginhandler.php
@@ -14,8 +14,8 @@ class PluginHandler extends Handler_Protected {
 				if (validate_csrf($csrf_token)) {
 					$plugin->$method();
 				} else {
-					user_error("Requested ${plugin_name}->${method}() with invalid CSRF token.", E_USER_DEPRECATED);
-					$plugin->$method();
+					user_error("Rejected ${plugin_name}->${method}(): invalid CSRF token.", E_USER_WARNING);
+					print error_json(6);
 				}
 			} else {
 				user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING);
-- 
cgit v1.2.3