aboutsummaryrefslogtreecommitdiff
path: root/src/post_routes.rs
diff options
context:
space:
mode:
Diffstat (limited to 'src/post_routes.rs')
-rw-r--r--src/post_routes.rs27
1 files changed, 13 insertions, 14 deletions
diff --git a/src/post_routes.rs b/src/post_routes.rs
index 7588abc..1b5d615 100644
--- a/src/post_routes.rs
+++ b/src/post_routes.rs
@@ -18,32 +18,31 @@ use crate::forms::EditForm;
use crate::forms::MoveForm;
use crate::get_renderer;
use crate::ActionParam;
-use crate::Args;
use crate::Context;
+use crate::HttpOrigin;
use crate::RenderMode;
use crate::Response;
use crate::{controller::Controller, Error};
pub(crate) async fn build_response<C: Controller>(
- args: &Args,
+ host: &HttpOrigin,
params: &ActionParam,
controller: &C,
ctx: Context,
body: Body,
parts: &mut Parts,
) -> Result<Response, Error> {
- if let Some(ref enforced_origin) = args.origin {
- if parts
- .headers
- .get(header::ORIGIN)
- .filter(|h| h.as_bytes() == enforced_origin.as_bytes())
- .is_none()
- {
- return Err(Error::BadRequest(format!(
- "POST requests must be sent with the header Origin: {}",
- enforced_origin
- )));
- }
+ if parts
+ .headers
+ .get(header::ORIGIN)
+ .filter(|h| h.as_bytes() == host.origin.as_bytes())
+ .is_none()
+ {
+ // This check prevents cross-site request forgery (CSRF).
+ return Err(Error::BadRequest(format!(
+ "POST requests must be sent with the header Origin: {}",
+ host.origin
+ )));
}
match params.action.as_ref() {
"edit" => return update_blob(body, controller, ctx, parts).await,
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-16 12:25:04 +0000