Merge pull request #2295 from greezybacon/issue/2276

csrf: Fix CRSF violation on client login

Reviewed-By: Peter Rotich <peter@osticket.com>

include/client/templates/thread-entry.tmpl.php

@@ -15,33 +15,13 @@ if ($user && ($url = $user->get_gravatar(48)))
 <?php } ?>
     <div class="header">
         <div class="pull-right">
-<?php           if ($entry->hasActions()) {
-            $actions = $entry->getActions(); ?>
-            <span class="muted-button pull-right" data-dropdown="#entry-action-more-<?php echo $entry->getId(); ?>">
-                <i class="icon-caret-down"></i>
-            </span>
-            <div id="entry-action-more-<?php echo $entry->getId(); ?>" class="action-dropdown anchor-right">
-        <ul class="title">
-<?php               foreach ($actions as $group => $list) {
-                foreach ($list as $id => $action) { ?>
-            <li>
-            <a class="no-pjax" href="#" onclick="javascript:
-                    <?php echo str_replace('"', '\\"', $action->getJsStub()); ?>; return false;">
-                <i class="<?php echo $action->getIcon(); ?>"></i> <?php
-                    echo $action->getName();
-        ?></a></li>
-<?php                   }
-            } ?>
-        </ul>
-        </div>
-<?php           } ?>
-                <span style="vertical-align:middle;" class="textra">
+            <span style="vertical-align:middle;" class="textra">
         <?php if ($entry->flags & ThreadEntry::FLAG_EDITED) { ?>
                 <span class="label label-bare" title="<?php
         echo sprintf(__('Edited on %s by %s'), Format::datetime($entry->updated), 'You');
                 ?>"><?php echo __('Edited'); ?></span>
         <?php } ?>
-                </span>
+            </span>
         </div>
 <?php
             echo sprintf(__('<b>%s</b> posted %s'), $name,

login.php

@@ -32,19 +32,6 @@ else
 
 $suggest_pwreset = false;
 
-// Check the CSRF token, and ensure that future requests will have to use a
-// different CSRF token. This will help ward off both parallel and serial
-// brute force attacks, because new tokens will have to be requested for
-// each attempt.
-if ($_POST) {
-    // Check CSRF token
-    if (!$ost->checkCSRFToken())
-        Http::response(400, __('Valid CSRF Token Required'));
-
-    // Rotate the CSRF token (original cannot be reused)
-    $ost->getCSRF()->rotate();
-}
-
 if ($_POST && isset($_POST['luser'])) {
     if (!$_POST['luser'])
         $errors['err'] = __('Valid username or email address is required');

scp/css/scp.css

@@ -1249,7 +1249,7 @@ ul.tabs.alt li.active {
     display:block;
     height:30px;
     position:absolute;
-    z-index:5;
+    z-index:10;
 }
 
 .tip_arrow {
@@ -1258,7 +1258,7 @@ ul.tabs.alt li.active {
     top:5px;
     left:-12px;
     width:12px;
-    z-index:102;
+    z-index:1;
 }
 
 .tip_box.right .tip_arrow {