/**
* Authenticates a call using Drupal's built in sessions
*
* @return void
*/
function _services_sessions_authenticate_call() {
  global $user;
  $original_user = services_get_server_info('original_user');
  if ($original_user->uid != 0) {
    $non_safe_method_called = !in_array($_SERVER['REQUEST_METHOD'], array('GET', 'HEAD', 'OPTIONS', 'TRACE'));
    $csrf_token_invalid = !isset($_SERVER['HTTP_X_CSRF_TOKEN']) || !drupal_valid_token($_SERVER['HTTP_X_CSRF_TOKEN'], 'services');
    if ($non_safe_method_called && $csrf_token_invalid) {
      return t('CSRF validation failed');
    }
  }

@return void, but the function clearly seems to return a validation error message.

Comments

Status:Active» Fixed

Thanks for spotting this. Fixed.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.