diff --git a/lib/Alchemy/Phrasea/Controller/Root/AccountController.php b/lib/Alchemy/Phrasea/Controller/Root/AccountController.php
index 6a6bc67b1a..8992212868 100644
--- a/lib/Alchemy/Phrasea/Controller/Root/AccountController.php
+++ b/lib/Alchemy/Phrasea/Controller/Root/AccountController.php
@@ -318,6 +318,8 @@ public function displayAccount()
$initiatedValidations = $this->getBasketRepository()->findby(['vote_initiator' => $user, ]);
+ $this->setSessionFormToken('userAccount');
+
return $this->render('account/account.html.twig', [
'user' => $user,
'evt_mngr' => $manager,
@@ -417,6 +419,10 @@ public function confirmDeleteAccount(Request $request)
*/
public function updateAccount(Request $request)
{
+ if (!$this->isCrsfValid($request, 'userAccount')) {
+ return new Response('invalid crsf token form', 403);
+ }
+
$registrations = $request->request->get('registrations', []);
if (false === is_array($registrations)) {
diff --git a/lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php b/lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php
index 5634819113..98e3b137cb 100644
--- a/lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php
+++ b/lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php
@@ -171,6 +171,10 @@ public function authorizeGrantPassword(Request $request, ApiApplication $applica
*/
public function newApp(Request $request)
{
+ if (!$this->isCrsfValid($request, 'newApplication')) {
+ return new Response('invalid crsf token form', 403);
+ }
+
if ($request->request->get('type') === ApiApplication::DESKTOP_TYPE) {
$form = new \API_OAuth2_Form_DevAppDesktop($request);
} else {
@@ -223,6 +227,8 @@ public function listApps()
*/
public function displayFormApp(Request $request)
{
+ $this->setSessionFormToken('newApplication');
+
return $this->render('developers/application_form.html.twig', [
"violations" => null,
'form' => null,
diff --git a/templates/web/account/account.html.twig b/templates/web/account/account.html.twig
index c843a3561f..458fcc0476 100644
--- a/templates/web/account/account.html.twig
+++ b/templates/web/account/account.html.twig
@@ -293,6 +293,7 @@
+
diff --git a/templates/web/developers/application_form.html.twig b/templates/web/developers/application_form.html.twig
index c1ec6cb8bf..9b543afea0 100644
--- a/templates/web/developers/application_form.html.twig
+++ b/templates/web/developers/application_form.html.twig
@@ -123,5 +123,6 @@
+
{% endblock %}
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Root/AccountTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Root/AccountTest.php
index 4f42595d3c..0aed6b756f 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Root/AccountTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Root/AccountTest.php
@@ -384,6 +384,7 @@ public function testUpdateAccount()
$app = $this->getApplication();
$client = $this->getClient();
$bases = $notifs = [];
+ $randomValue = $this->setSessionFormToken('userAccount');
foreach ($app->getDataboxes() as $databox) {
foreach ($databox->get_collections() as $collection) {
@@ -424,7 +425,8 @@ public function testUpdateAccount()
'form_retryFTP' => '',
'notifications' => $notifs,
'form_defaultdataFTP' => ['document', 'preview', 'caption'],
- 'mail_notifications' => '1'
+ 'mail_notifications' => '1',
+ 'userAccount_token' => $randomValue
]);
$response = $client->getResponse();
diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Root/DevelopersTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Root/DevelopersTest.php
index f3fbc55fb5..4f81818540 100644
--- a/tests/Alchemy/Tests/Phrasea/Controller/Root/DevelopersTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Root/DevelopersTest.php
@@ -39,6 +39,8 @@ public function testDisplayformApp()
*/
public function testPostNewAppInvalidArguments()
{
+ $randomValue = $this->setSessionFormToken('newApplication');
+
$crawler = self::$DI['client']->request('POST', '/developers/application/', [
'type' => ApiApplication::WEB_TYPE,
'name' => '',
@@ -46,7 +48,8 @@ public function testPostNewAppInvalidArguments()
'website' => 'my.website.com',
'callback' => 'my.callback.com',
'scheme-website' => 'http://',
- 'scheme-callback' => 'http://'
+ 'scheme-callback' => 'http://',
+ 'newApplication_token' => $randomValue
]);
$this->assertTrue(self::$DI['client']->getResponse()->isOk());
@@ -63,6 +66,7 @@ public function testPostNewApp()
{
$apps = self::$DI['app']['repo.api-applications']->findByCreator(self::$DI['user']);
$nbApp = count($apps);
+ $randomValue = $this->setSessionFormToken('newApplication');
self::$DI['client']->request('POST', '/developers/application/', [
'type' => ApiApplication::WEB_TYPE,
@@ -71,7 +75,8 @@ public function testPostNewApp()
'website' => 'my.website.com',
'callback' => 'my.callback.com',
'scheme-website' => 'http://',
- 'scheme-callback' => 'http://'
+ 'scheme-callback' => 'http://',
+ 'newApplication_token' => $randomValue
]);
$apps = self::$DI['app']['repo.api-applications']->findByCreator(self::$DI['user']);