Merge pull request #192 from silverstripe-rebelalliance/tokens

NEW: Allow form submission when tokens are disabled
2024-06-28 15:39:22 +02:00 · 2014-02-27 18:21:31 +13:00 · 2014-02-27 18:21:31 +13:00 · 45e4b1c037
commit 45e4b1c037
parent 97ff8b252c d5e50a9802
1 changed files with 15 additions and 2 deletions
--- a/code/model/UserDefinedForm.php
+++ b/code/model/UserDefinedForm.php
@ -1054,6 +1054,15 @@ JS
 		// set a session variable from the security ID to stop people accessing the finished method directly
 		if (isset($data['SecurityID'])) {
 			Session::set('FormProcessed',$data['SecurityID']);
+		} else {
+			// if the form has had tokens disabled we still need to set FormProcessed
+			// to allow us to get through the finshed method
+			if (!$this->Form()->getSecurityToken()->isEnabled()) {
+				$randNum = rand(1, 1000);
+				$randHash = md5($randNum);
+				Session::set('FormProcessed',$randHash);
+				Session::set('FormProcessedNum',$randNum);
+			}
 		}
 		
 		return $this->redirect($this->Link() . 'finished' . $referrer);
@ -1074,10 +1083,14 @@ JS
 		} else {
 			$securityID = Session::get('SecurityID');
 			// make sure the session matches the SecurityID and is not left over from another form
+			if ($formProcessed != $securityID) {
+				// they may have disabled tokens on the form
+				$securityID = md5(Session::get('FormProcessedNum'));
 				if ($formProcessed != $securityID) {
 					return $this->redirect($this->Link() . $referrer);
 				}
 			}
+		}
 		// remove the session variable as we do not want it to be re-used
 		Session::clear('FormProcessed');