Only enable CSRF argument stashing in refresh URL if CSRF is enabled

Not only is it only necessary if CSRF protections are on, but RT does not expand CSRF_Token unless RestrictReferrer is enabled.
bestpractical · May 7, 2012 · 299b660 · 299b660
1 parent 096e31e
commit 299b660
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/share/html/Search/Results.html b/share/html/Search/Results.html
@@ -151,7 +151,7 @@
 my $refresh = $session{'tickets_refresh_interval'}
     || RT->Config->Get('SearchResultsRefreshInterval', $session{'CurrentUser'} );
 
-if ($refresh and not $m->request_args->{CSRF_Token}) {
+if (RT->Config->Get('RestrictReferrer') and $refresh and not $m->request_args->{CSRF_Token}) {
     my $token = RT::Interface::Web::StoreRequestToken( $session{'CurrentSearchHash'} );
     $m->notes->{RefreshURL} = RT->Config->Get('WebURL')
         . "Search/Results.html?CSRF_Token="