security::csrf::validate (public)

 security::csrf::validate [ -tokenname tokenname ] \
    [ -allowempty allowempty ]

Defined in packages/acs-tcl/tcl/security-procs.tcl

Validate a CSRF token and call security::csrf::fail the request if invalid.

Switches:

-tokenname (optional, defaults to "__csrf_token")

-allowempty (optional, defaults to "false")

Returns:

nothing

Partial Call Graph (max 5 caller/called nodes):

Testcases:

create_workflow_with_instance

Source code:

        if {![info exists ::$tokenname] || ![ns_conn isconnected]} {
            #
            # If there is no global CSRF token, or we are not in a
            # connection thread, we accept everything.  If there is
            # no CSRF token, we assume, that its generation is
            # deactivated,
            #
            return
        }

        set oldToken [ns_queryget $tokenname]
        if {$oldToken eq ""} {
            #
            # There is no token in the query/form parameters, we
            # can't validate, since there is no token.
            #
            if {$allowempty} {
                return
            }
            fail
        }

        set token [token -tokenname $tokenname]
        if {$oldToken ne $token} {
            fail
        }

Generic XQL file:

packages/acs-tcl/tcl/security-procs.xql

PostgreSQL XQL file:

packages/acs-tcl/tcl/security-procs-postgresql.xql

Oracle XQL file:

packages/acs-tcl/tcl/security-procs-oracle.xql