From d5e50a9802afca88bd0a19441341b69ce99a5b7a Mon Sep 17 00:00:00 2001
From: Kirk Mayo <kirk@silverstripe.com>
Date: Thu, 27 Feb 2014 12:34:57 +1300
Subject: [PATCH] NEW: Allow form submission when tokens are disabled

---
 code/model/UserDefinedForm.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/code/model/UserDefinedForm.php b/code/model/UserDefinedForm.php
index f245166..b9730f1 100755
--- a/code/model/UserDefinedForm.php
+++ b/code/model/UserDefinedForm.php
@@ -1054,6 +1054,15 @@ JS
 		// set a session variable from the security ID to stop people accessing the finished method directly
 		if (isset($data['SecurityID'])) {
 			Session::set('FormProcessed',$data['SecurityID']);
+		} else {
+			// if the form has had tokens disabled we still need to set FormProcessed
+			// to allow us to get through the finshed method
+			if (!$this->Form()->getSecurityToken()->isEnabled()) {
+				$randNum = rand(1, 1000);
+				$randHash = md5($randNum);
+				Session::set('FormProcessed',$randHash);
+				Session::set('FormProcessedNum',$randNum);
+			}
 		}
 		
 		return $this->redirect($this->Link() . 'finished' . $referrer);
@@ -1070,12 +1079,16 @@ JS
 		
 		$formProcessed = Session::get('FormProcessed');
 		if (!isset($formProcessed)) {
-				return $this->redirect($this->Link() . $referrer);
+			return $this->redirect($this->Link() . $referrer);
 		} else {
 			$securityID = Session::get('SecurityID');
 			// make sure the session matches the SecurityID and is not left over from another form
 			if ($formProcessed != $securityID) {
-				return $this->redirect($this->Link() . $referrer);
+				// they may have disabled tokens on the form
+				$securityID = md5(Session::get('FormProcessedNum'));
+				if ($formProcessed != $securityID) {
+					return $this->redirect($this->Link() . $referrer);
+				}
 			}
 		}
 		// remove the session variable as we do not want it to be re-used