security: add CSRF and ACL checks (#104 , #105 )

- #104: Add checkToken('get') and core.manage ACL check to CSV export - #105: Add checkToken() to migration action (ACL was already present) Authored-by: Moko Consulting Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-06 06:40:19 -05:00
2 changed files with 8 additions and 0 deletions
@@ -27,6 +27,8 @@ class DashboardController extends BaseController
     */
    public function migrate(): void
    {
+        $this->checkToken();
+
        // Check ACL
        if (!$this->app->getIdentity()->authorise('mokojoomcross.migrate', 'com_mokojoomcross')) {
            $this->setRedirect(
@@ -156,6 +156,12 @@ class PostsController extends AdminController
     */
    public function exportCsv(): void
    {
+        $this->checkToken('get');
+
+        if (!$this->app->getIdentity()->authorise('core.manage', 'com_mokojoomcross')) {
+            throw new \RuntimeException(Text::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN'), 403);
+        }
+
        $app = $this->app;
        $db  = Factory::getDbo();