issue: secure against external form submissions

Ignore api requests (preview from (failed) login),
and require subject field to be sure.

Fixes empty issues after failed logins.

diff --git a/issue/index.php b/issue/index.php
index 8b42d11f7c499699a2d51ac4debb80ff628478d8..704a405e879bf42b40d9d40c89acec27874ce816 100644 (file)
--- a/issue/index.php
+++ b/issue/index.php
@@ -42,8 +42,12 @@ if ($id and ctype_digit($id)) {
        return;
 }
 
-if ($_POST) {
+if ($Page->api) return;
+if ($_POST and isset($_POST['subject'])) {
                require_once 'upload.inc.php';
+               if (strlen($_POST['subject']) < 2) {
+                       throw new Exception('Een minimaal onderwerp is verplicht om een issue aan te maken.');
+               }
                $query = $Db->set('issues', [
                        'page'    => $Page->handler,
                        'subject' => $_POST['subject'],
@@ -55,7 +59,6 @@ if ($_POST) {
                }
                $_POST = [];
 }
-if ($Page->api) return;
 
 $subsql = "SELECT count(*) FROM comments WHERE page=i.page||'/'||i.id";
 $cols = "*, ($subsql AND message IS NOT NULL) AS replycount";