From 4298cda6aa6ba3bfa6d8350c0207b3e33245b8c7 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Mon, 1 Nov 2010 01:28:53 +0000
Subject: [PATCH] API CHANGE Added security token to TableListField->Link() in
 order to include it in all URL actions automatically. This ensures that field
 actions bypassing Form->httpSubmission() still get CSRF protection

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@113275 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 forms/TableListField.php | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/forms/TableListField.php b/forms/TableListField.php
index ac76bf36a..18a866233 100755
--- a/forms/TableListField.php
+++ b/forms/TableListField.php
@@ -1178,6 +1178,28 @@ JS
 		
 		return $link;
 	}
+
+	/**
+	 * Overloaded to automatically add security token.
+	 * 
+	 * @param String $action
+	 * @return String
+	 */
+	function Link($action = null) {
+		$form = $this->getForm();
+ 		if($form) {
+			$token = $form->getSecurityToken();
+			$parentUrlParts = parse_url(parent::Link($action));
+			$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
+			// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
+			if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
+			return Controller::join_links($parentUrlParts['path'], $action, $queryPart);
+		} else {
+			// allow for instanciation of this FormField outside of a controller/form
+			// context (e.g. for unit tests)
+			return false;
+		}
+	}
 	
 	function BaseLink() {
 		user_error("TableListField::BaseLink() deprecated, use Link() instead", E_USER_NOTICE);
@@ -1414,9 +1436,12 @@ class TableListField_Item extends ViewableData {
 	}
 	
 	function Link($action = null) {
- 		if($this->parent->getForm()) {
+		$form = $this->parent->getForm();
+ 		if($form) {
 			$parentUrlParts = parse_url($this->parent->Link());
 			$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
+			// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
+			if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
 			return Controller::join_links($parentUrlParts['path'], 'item', $this->item->ID, $action, $queryPart);
 		} else {
 			// allow for instanciation of this FormField outside of a controller/form