[SS-2015-029] FIX Add CSFR protection to tree reorganise

This commit is contained in:
Daniel Hensby 2016-04-18 23:54:10 +01:00
parent 1f820b0b1c
commit 3c0f2e8e11
No known key found for this signature in database
GPG Key ID: E38EC566FE29EB66
2 changed files with 7 additions and 1 deletions

View File

@ -1046,6 +1046,9 @@ class LeftAndMain extends Controller implements PermissionProvider {
* @return SS_HTTPResponse JSON string with a * @return SS_HTTPResponse JSON string with a
*/ */
public function savetreenode($request) { public function savetreenode($request) {
if (!SecurityToken::inst()->checkRequest($request)) {
return $this->httpError(400);
}
if (!Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN')) { if (!Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN')) {
$this->response->setStatusCode( $this->response->setStatusCode(
403, 403,

View File

@ -97,7 +97,10 @@
}); });
$.ajax({ $.ajax({
'url': self.data('urlSavetreenode'), 'url': $.path.addSearchParams(
self.data('urlSavetreenode'),
self.data('extraParams')
),
'type': 'POST', 'type': 'POST',
'data': { 'data': {
ID: nodeID, ID: nodeID,