From 1ea80f4f57dd9ed5e0ee956496f7f57bd4e64751 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Fri, 15 May 2009 12:59:39 +0000
Subject: [PATCH] Fix: protection faille CSRF !!!

---
 htdocs/admin/const.php | 4 ----
 htdocs/main.inc.php    | 4 ++++
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php
index 72fb1ebc09b..f8b5c41738c 100644
--- a/htdocs/admin/const.php
+++ b/htdocs/admin/const.php
@@ -30,10 +30,6 @@ require_once(DOL_DOCUMENT_ROOT."/lib/admin.lib.php");
 
 $langs->load("admin");
 
-//Todo: protection faille CSRF !!!
-if (! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER']))
-accessforbidden();
-
 if (!$user->admin)
 accessforbidden();
 
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index a26a7b79cf5..8c37fd649ca 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -122,6 +122,10 @@ set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
 // This include will set: $conf, $langs and $mysoc objects
 require_once("master.inc.php");
 
+// Protection faille CSRF !!!
+if (! empty($_SERVER['HTTP_REFERER']) && !eregi(DOL_MAIN_URL_ROOT, $_SERVER['HTTP_REFERER']))
+accessforbidden();
+
 // Check if HTTPS
 if ($conf->file->main_force_https)
 {