From 600e3aa12f02c27438bd622d323f8086a2e01893 Mon Sep 17 00:00:00 2001
From: secretr <m.yovchev@gmail.com>
Date: Mon, 24 Oct 2011 06:30:31 +0000
Subject: [PATCH] e-token check method returns now boolean; comments e-token
 check refined

---
 e107_handlers/comment_class.php   |  4 +++-
 e107_handlers/session_handler.php | 12 +++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/e107_handlers/comment_class.php b/e107_handlers/comment_class.php
index d18a67d8b..0fd252595 100644
--- a/e107_handlers/comment_class.php
+++ b/e107_handlers/comment_class.php
@@ -340,6 +340,7 @@ class comment
 
 	/**
 	 * Add a comment to an item
+	 * e-token POST value should be always valid when using this method.
 	 *
 	 * @param unknown_type $author_name
 	 * @param unknown_type $comment
@@ -363,7 +364,8 @@ class comment
 
 		if ($this->getCommentPermissions() != 'rw') return;
 
-		e107::getSession()->check();			// This will abort on error
+		if(!isset($_POST['e-token'])) $_POST['e-token'] = '';		// check posted token
+		if(!e107::getSession()->check(false)) return false;			// This will return false on error
 
 		if (isset($_GET['comment']) && $_GET['comment'] == 'edit')
 		{
diff --git a/e107_handlers/session_handler.php b/e107_handlers/session_handler.php
index 0d0ec70e0..eb309d39c 100644
--- a/e107_handlers/session_handler.php
+++ b/e107_handlers/session_handler.php
@@ -798,15 +798,16 @@ class e_core_session extends e_session
 	/**
 	 * Core CSF protection, see class2.php
 	 * Could be adopted by plugins for their own (different) protection logic
-	 * @return e_core_session
+	 * @param boolean $die
+	 * @return boolean
 	 */
-	public function check()
+	public function check($die = true)
 	{
 		// define('e_TOKEN_NAME', 'e107_token_'.md5($_SERVER['HTTP_HOST'].e_HTTP));
 		// TODO e-token required for all system forms?
 		
 		// only if not disabled and not in 'cli' mod
-		if(e_SECURITY_LEVEL < e_session::SECURITY_LEVEL_BALANCED || e107::getE107('cli')) return $this;
+		if(e_SECURITY_LEVEL < e_session::SECURITY_LEVEL_BALANCED || e107::getE107('cli')) return true;
 		
 		if($this->getSessionId())
 		{
@@ -829,7 +830,8 @@ class e_core_session extends e_session
 					e107::getAdminLog()->log_event('Unauthorized access!', $details, E_LOG_FATAL);				
 				}	
 				// do not redirect, prevent dead loop, save server resources
-				die('Unauthorized access!');
+				if($die) die('Unauthorized access!');
+				return false;
 			}
 		}
 		
@@ -849,7 +851,7 @@ class e_core_session extends e_session
 			}
 			define('e_TOKEN', $this->getFormToken());
 		}
-		return $this;
+		return true;
 	}
 	
 	/**