tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

[SS-2015-029] FIX Add CSFR protection to tree reorganise

Browse Source
This commit is contained in:
Daniel Hensby 2016-04-18 23:54:10 +01:00
parent 1f820b0b1c
commit 3c0f2e8e11
No known key found for this signature in database
GPG Key ID: E38EC566FE29EB66
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
admin/code/LeftAndMain.php
View File

@ -1046,6 +1046,9 @@ class LeftAndMain extends Controller implements PermissionProvider {
* @return SS_HTTPResponse JSON string with a * @return SS_HTTPResponse JSON string with a
*/ */
public function savetreenode($request) { public function savetreenode($request) {
if (!SecurityToken::inst()->checkRequest($request)) {
return $this->httpError(400);
}
if (!Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN')) { if (!Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN')) {
$this->response->setStatusCode( $this->response->setStatusCode(
403, 403,

5
admin/javascript/LeftAndMain.Tree.js
View File

@ -97,7 +97,10 @@
}); });
$.ajax({ $.ajax({
'url': self.data('urlSavetreenode'), 'url': $.path.addSearchParams(
self.data('urlSavetreenode'),
self.data('extraParams')
),
'type': 'POST', 'type': 'POST',
'data': { 'data': {
ID: nodeID, ID: nodeID,