From 8b450be09bacada8e4ae96079065783bbdacdf5b Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Fri, 10 Sep 2021 12:05:43 -0400 Subject: [PATCH] Move unsecured GET endpoint handlers before security token check in Module\Contact --- src/Module/Contact.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/Module/Contact.php b/src/Module/Contact.php index bcdebf28d..2b17deab4 100644 --- a/src/Module/Contact.php +++ b/src/Module/Contact.php @@ -365,6 +365,14 @@ class Contact extends BaseModule throw new NotFoundException(DI::l10n()->t('Contact not found')); } + if ($cmd === 'posts') { + return self::getPostsHTML($a, $contact_id); + } + + if ($cmd === 'conversations') { + return self::getConversationsHMTL($a, $contact_id, $update); + } + self::checkFormSecurityTokenRedirectOnError('contact/' . $contact_id, 'contact_action', 't'); $cdata = Model\Contact::getPublicAndUserContactID($orig_record['id'], local_user()); @@ -440,12 +448,6 @@ class Contact extends BaseModule DI::baseUrl()->redirect('contact'); // NOTREACHED } - if ($cmd === 'posts') { - return self::getPostsHTML($a, $contact_id); - } - if ($cmd === 'conversations') { - return self::getConversationsHMTL($a, $contact_id, $update); - } } $_SESSION['return_path'] = DI::args()->getQueryString();