From 3c0f2e8e11a1bead64d869854b9dfc0f80e7579a Mon Sep 17 00:00:00 2001
From: Daniel Hensby <dan@hens.by>
Date: Mon, 18 Apr 2016 23:54:10 +0100
Subject: [PATCH] [SS-2015-029] FIX Add CSFR protection to tree reorganise

---
 admin/code/LeftAndMain.php           | 3 +++
 admin/javascript/LeftAndMain.Tree.js | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/admin/code/LeftAndMain.php b/admin/code/LeftAndMain.php
index 226fa5853..9d59997ff 100644
--- a/admin/code/LeftAndMain.php
+++ b/admin/code/LeftAndMain.php
@@ -1046,6 +1046,9 @@ class LeftAndMain extends Controller implements PermissionProvider {
 	 * @return SS_HTTPResponse JSON string with a 
 	 */
 	public function savetreenode($request) {
+		if (!SecurityToken::inst()->checkRequest($request)) {
+			return $this->httpError(400);
+		}
 		if (!Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN')) {
 			$this->response->setStatusCode(
 				403,
diff --git a/admin/javascript/LeftAndMain.Tree.js b/admin/javascript/LeftAndMain.Tree.js
index 4faa4654a..37d3d1dbb 100644
--- a/admin/javascript/LeftAndMain.Tree.js
+++ b/admin/javascript/LeftAndMain.Tree.js
@@ -97,7 +97,10 @@
 							});
 
 							$.ajax({
-								'url': self.data('urlSavetreenode'),
+								'url': $.path.addSearchParams(
+									self.data('urlSavetreenode'),
+									self.data('extraParams')
+								),
 								'type': 'POST',
 								'data': {
 									ID: nodeID,