API CHANGE Added security token to TableListField->Link() in order to include it in all URL actions automatically. This ensures that field actions bypassing Form->httpSubmission() still get CSRF protection

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@113275 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-11-01 01:28:53 +00:00 committed by Sam Minnee
parent 1aadb8c990
commit 4298cda6aa

View File

@ -1179,6 +1179,28 @@ JS
return $link; return $link;
} }
/**
* Overloaded to automatically add security token.
*
* @param String $action
* @return String
*/
function Link($action = null) {
$form = $this->getForm();
if($form) {
$token = $form->getSecurityToken();
$parentUrlParts = parse_url(parent::Link($action));
$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
return Controller::join_links($parentUrlParts['path'], $action, $queryPart);
} else {
// allow for instanciation of this FormField outside of a controller/form
// context (e.g. for unit tests)
return false;
}
}
function BaseLink() { function BaseLink() {
user_error("TableListField::BaseLink() deprecated, use Link() instead", E_USER_NOTICE); user_error("TableListField::BaseLink() deprecated, use Link() instead", E_USER_NOTICE);
return $this->Link(); return $this->Link();
@ -1414,9 +1436,12 @@ class TableListField_Item extends ViewableData {
} }
function Link($action = null) { function Link($action = null) {
if($this->parent->getForm()) { $form = $this->parent->getForm();
if($form) {
$parentUrlParts = parse_url($this->parent->Link()); $parentUrlParts = parse_url($this->parent->Link());
$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null; $queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
return Controller::join_links($parentUrlParts['path'], 'item', $this->item->ID, $action, $queryPart); return Controller::join_links($parentUrlParts['path'], 'item', $this->item->ID, $action, $queryPart);
} else { } else {
// allow for instanciation of this FormField outside of a controller/form // allow for instanciation of this FormField outside of a controller/form