FIX: Check security ID on admin non form links (Fixes #158)

2024-10-22 15:05:42 +00:00 · 2013-09-04 23:34:21 +12:00 · 2013-09-04 23:34:21 +12:00 · 9b134f1a78
commit 9b134f1a78
parent b2b030366b
3 changed files with 11 additions and 2 deletions
--- a/code/formfields/FieldEditor.php
+++ b/code/formfields/FieldEditor.php
@ -176,6 +176,10 @@ class FieldEditor extends FormField {
 	 * @return bool|html
 	 */
 	public function addfield() {
+		if(!SecurityToken::inst()->checkRequest($this->request)) {
+			return $this->httpError(400);
+		}
+
 		// get the last field in this form editor
 		$parentID = $this->form->getRecord()->ID;
 		
@ -217,6 +221,10 @@ class FieldEditor extends FormField {
 	 * @return bool|html
 	 */
 	public function addoptionfield() {
+		if(!SecurityToken::inst()->checkRequest($this->request)) {
+			return $this->httpError(400);
+		}
+
 		// passed via the ajax
 		$parent = (isset($_REQUEST['Parent'])) ? $_REQUEST['Parent'] : false;

--- a/javascript/UserForm.js
+++ b/javascript/UserForm.js
@ -239,13 +239,13 @@
 					var options = $(this).parent("li");
 					var action = userforms.appendToURL($("#Form_EditForm").attr("action"), '/field/Fields/addoptionfield');
 					var parent = $(this).attr("rel");
+					var securityID = ($("input[name=SecurityID]").length > 0) ? $("input[name=SecurityID]").first().attr("value") : '';

 					// send ajax request to the page
 					$.ajax({
 						type: "GET",
 						url: action,
-						data: 'Parent='+ parent,
-
+						data: 'Parent='+ parent +'&SecurityID='+securityID,
 						// create a new field
 						success: function(msg){
 							options.before(msg);
--- a/templates/FieldEditor.ss
+++ b/templates/FieldEditor.ss
@ -23,6 +23,7 @@
 			<% end_loop %>
 		</select>

+		<input type="hidden" name="SecurityID" value="$SecurityID" />
 		<input type="submit" class="action" value="<% _t('ADD', 'Add') %>" /> 
 	</div>
 	<% end_if %>