From c0c72e4c53ec9121daa888b9579530b799ef0543 Mon Sep 17 00:00:00 2001
From: Sam Minnee <sam@silverstripe.com>
Date: Sat, 27 Jun 2009 08:48:42 +0000
Subject: [PATCH] BUGFIX ajshort: Ensure that CSRF security token settings are
 passed from parent controllers/forms into child forms.

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@80225 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 forms/Form.php      | 8 +++++++-
 forms/FormField.php | 9 +++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 forms/Form.php
 mode change 100644 => 100755 forms/FormField.php

diff --git a/forms/Form.php b/forms/Form.php
old mode 100644
new mode 100755
index be35065ee..6d0c7d1ed
--- a/forms/Form.php
+++ b/forms/Form.php
@@ -147,7 +147,13 @@ class Form extends RequestHandler {
 		// Form error controls
 		$this->setupFormErrors();
 		
-		$this->security = self::$default_security;
+		// Check if CSRF protection is enabled, either on the parent controller or from the default setting. Note that
+		// method_exists() is used as some controllers (e.g. GroupTest) do not always extend from Object.
+		if(method_exists($controller, 'securityTokenEnabled')) {
+			$this->security = $controller->securityTokenEnabled();
+		} else {
+			$this->security = self::$default_security;
+		}
 	}
 	
 	static $url_handlers = array(
diff --git a/forms/FormField.php b/forms/FormField.php
old mode 100644
new mode 100755
index 726d2fc7a..8ffec80b1
--- a/forms/FormField.php
+++ b/forms/FormField.php
@@ -305,6 +305,15 @@ class FormField extends RequestHandler {
 		return $this->form; 
 	}
 	
+	/**
+	 * Return TRUE if security token protection is enabled on the parent {@link Form}.
+	 *
+	 * @return bool
+	 */
+	public function securityTokenEnabled() {
+		return $this->getForm() && $this->getForm()->securityTokenEnabled();
+	}
+	
 	/**
 	 * Sets the error message to be displayed on the form field
 	 * Set by php validation of the form