BUGFIX ajshort: Ensure that CSRF security token settings are passed from parent controllers/forms into child forms.

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@80225 467b73ca-7a2a-4603-9d3b-597d59a354a9

forms/Form.php

@@ -147,7 +147,13 @@ class Form extends RequestHandler {
 		// Form error controls
 		$this->setupFormErrors();
 		
-		$this->security = self::$default_security;
+		// Check if CSRF protection is enabled, either on the parent controller or from the default setting. Note that
+		// method_exists() is used as some controllers (e.g. GroupTest) do not always extend from Object.
+		if(method_exists($controller, 'securityTokenEnabled')) {
+			$this->security = $controller->securityTokenEnabled();
+		} else {
+			$this->security = self::$default_security;
+		}
 	}
 	
 	static $url_handlers = array(

forms/FormField.php

@@ -305,6 +305,15 @@ class FormField extends RequestHandler {
 		return $this->form; 
 	}
 	
+	/**
+	 * Return TRUE if security token protection is enabled on the parent {@link Form}.
+	 *
+	 * @return bool
+	 */
+	public function securityTokenEnabled() {
+		return $this->getForm() && $this->getForm()->securityTokenEnabled();
+	}
+	
 	/**
 	 * Sets the error message to be displayed on the form field
 	 * Set by php validation of the form