From c664b78800adf997805b250cfc1776cf6a46f020 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 1 Oct 2021 12:37:32 +0200
Subject: [PATCH] MAIN_SECURITY_CSRF_WITH_TOKEN now has 3 levels (1, 2, 3)

---
 htdocs/core/class/conf.class.php | 5 ++++-
 htdocs/main.inc.php              | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php
index e4abfc1a748..5ec3a4cfbc0 100644
--- a/htdocs/core/class/conf.class.php
+++ b/htdocs/core/class/conf.class.php
@@ -828,7 +828,10 @@ class Conf
 
 			// Enable by default the CSRF protection by token.
 			if (!isset($this->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) {
-				$this->global->MAIN_SECURITY_CSRF_WITH_TOKEN = 1;	// Value 2 uses also CSRF check for sensitive GET requests and 3 uses CSRF check for all POST and GET requests.
+				// Value 1 makes CSRF check for all POST parameters only
+				// Value 2 makes also CSRF check for GET requests with action = a sensitive requests like action=del, action=remove...
+				// Value 3 makes also CSRF check for all GET requests with a param action or massaction
+				$this->global->MAIN_SECURITY_CSRF_WITH_TOKEN = 1;
 				// Note: Set MAIN_SECURITY_CSRF_TOKEN_RENEWAL_ON_EACH_CALL=1 to have a renewal of token at each page call instead of each session (not recommended)
 			}
 
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index d3f30ae47f7..a52bb7dcf2b 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -465,10 +465,10 @@ if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
 if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN')) || defined('CSRFCHECK_WITH_TOKEN')) {
 	// Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request)
 	$sensitiveget = false;
-	if ((GETPOSTISSET('massaction') || GETPOST('action', 'aZ09')) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') == 3) {
+	if ((GETPOSTISSET('massaction') || GETPOST('action', 'aZ09')) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 3) {
 		// All GET actions and mass actions are processed as sensitive.
 		$sensitiveget = true;
-	} elseif (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') == 2) {
+	} elseif (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 2) {
 		// Few GET actions coded with a &token into url are processed as sensitive.
 		$arrayofactiontoforcetokencheck = array(
 			'activate', 'add', 'addrights', 'addtimespent',