From ca49522373c5b393d271971765adc1acbee158ec Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Tue, 3 Sep 2024 13:11:27 +0000
Subject: [PATCH] don't check csrf protection twice (and since it will fail on
 the redirect), fixes #4557

Closes #4557

Merge request studip/studip!3360
---
 app/controllers/course/basicdata.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/course/basicdata.php b/app/controllers/course/basicdata.php
index eab5f3640bf..114bcc8ee9f 100644
--- a/app/controllers/course/basicdata.php
+++ b/app/controllers/course/basicdata.php
@@ -612,7 +612,8 @@ class Course_BasicdataController extends AuthenticatedController
 
     public function add_member_action($course_id, $status = 'dozent')
     {
-        CSRFProtection::verifyUnsafeRequest();
+        // We don't need to check the csrf protection at this point since it
+        // is already checked by the multiperson search endpoint
 
         // load MultiPersonSearch object
         $mp = MultiPersonSearch::load("add_member_{$status}{$course_id}");
-- 
GitLab