mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
API CHANGE Added security token to TableListField->Link() in order to include it in all URL actions automatically. This ensures that field actions bypassing Form->httpSubmission() still get CSRF protection (from r113275)
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@114528 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
c63b00f92a
commit
5c0b2182ae
@ -1178,6 +1178,28 @@ JS
|
|||||||
|
|
||||||
return $link;
|
return $link;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Overloaded to automatically add security token.
|
||||||
|
*
|
||||||
|
* @param String $action
|
||||||
|
* @return String
|
||||||
|
*/
|
||||||
|
function Link($action = null) {
|
||||||
|
$form = $this->getForm();
|
||||||
|
if($form) {
|
||||||
|
$token = $form->getSecurityToken();
|
||||||
|
$parentUrlParts = parse_url(parent::Link($action));
|
||||||
|
$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
|
||||||
|
// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
|
||||||
|
if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
|
||||||
|
return Controller::join_links($parentUrlParts['path'], $action, $queryPart);
|
||||||
|
} else {
|
||||||
|
// allow for instanciation of this FormField outside of a controller/form
|
||||||
|
// context (e.g. for unit tests)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
function BaseLink() {
|
function BaseLink() {
|
||||||
user_error("TableListField::BaseLink() deprecated, use Link() instead", E_USER_NOTICE);
|
user_error("TableListField::BaseLink() deprecated, use Link() instead", E_USER_NOTICE);
|
||||||
@ -1414,9 +1436,12 @@ class TableListField_Item extends ViewableData {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function Link($action = null) {
|
function Link($action = null) {
|
||||||
if($this->parent->getForm()) {
|
$form = $this->parent->getForm();
|
||||||
|
if($form) {
|
||||||
$parentUrlParts = parse_url($this->parent->Link());
|
$parentUrlParts = parse_url($this->parent->Link());
|
||||||
$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
|
$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
|
||||||
|
// Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
|
||||||
|
if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
|
||||||
return Controller::join_links($parentUrlParts['path'], 'item', $this->item->ID, $action, $queryPart);
|
return Controller::join_links($parentUrlParts['path'], 'item', $this->item->ID, $action, $queryPart);
|
||||||
} else {
|
} else {
|
||||||
// allow for instanciation of this FormField outside of a controller/form
|
// allow for instanciation of this FormField outside of a controller/form
|
||||||
|
Loading…
Reference in New Issue
Block a user