pluginhandler: reject method requests without CSRF

2025-12-16 08:25:57 +00:00 · 2021-02-17 15:04:39 +03:00
parent 2b2833bb4f
commit 7be1e3ed38
1 changed files with 2 additions and 2 deletions
--- a/classes/pluginhandler.php
+++ b/classes/pluginhandler.php
@@ -14,8 +14,8 @@ class PluginHandler extends Handler_Protected {
 				if (validate_csrf($csrf_token)) {
 					$plugin->$method();
 				} else {
-					user_error("Requested ${plugin_name}->${method}() with invalid CSRF token.", E_USER_DEPRECATED);
+					user_error("Rejected ${plugin_name}->${method}(): invalid CSRF token.", E_USER_WARNING);
-					$plugin->$method();
+					print error_json(6);
 				}
 			} else {
 				user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING);