From 8908f4bdc33331d513f57b6d724b58ad05a5f3a8 Mon Sep 17 00:00:00 2001
From: iBNu Maksum <me@ibnux.net>
Date: Mon, 4 Nov 2024 12:05:08 +0700
Subject: [PATCH] enable/disable CSRF

---
 system/autoload/Csrf.php | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/system/autoload/Csrf.php b/system/autoload/Csrf.php
index 5338dc14..57752a0e 100644
--- a/system/autoload/Csrf.php
+++ b/system/autoload/Csrf.php
@@ -22,18 +22,22 @@ class Csrf
 
     public static function check($token)
     {
-        if (isset($_SESSION['csrf_token'], $_SESSION['csrf_token_time'], $token)) {
-            $storedToken = $_SESSION['csrf_token'];
-            $tokenTime = $_SESSION['csrf_token_time'];
+        global $config;
+        if($config['csrf_enabled'] == 'yes') {
+            if (isset($_SESSION['csrf_token'], $_SESSION['csrf_token_time'], $token)) {
+                $storedToken = $_SESSION['csrf_token'];
+                $tokenTime = $_SESSION['csrf_token_time'];
 
-            if (time() - $tokenTime > self::$tokenExpiration) {
-                self::clearToken();
-                return false;
+                if (time() - $tokenTime > self::$tokenExpiration) {
+                    self::clearToken();
+                    return false;
+                }
+
+                return self::validateToken($token, $storedToken);
             }
-
-            return self::validateToken($token, $storedToken);
+            return false;
         }
-        return false;
+        return true;
     }
 
     public static function generateAndStoreToken()