FIX: Check security ID on admin non form links (Fixes #158)
This commit is contained in:
Will Rossiter
parent
b2b030366b
commit
9b134f1a78
|
|
@ -176,6 +176,10 @@ class FieldEditor extends FormField {
|
|||
* @return bool|html
|
||||
*/
|
||||
public function addfield() {
|
||||
if(!SecurityToken::inst()->checkRequest($this->request)) {
|
||||
return $this->httpError(400);
|
||||
}
|
||||
|
||||
// get the last field in this form editor
|
||||
$parentID = $this->form->getRecord()->ID;
|
||||
|
||||
|
|
@ -217,6 +221,10 @@ class FieldEditor extends FormField {
|
|||
* @return bool|html
|
||||
*/
|
||||
public function addoptionfield() {
|
||||
if(!SecurityToken::inst()->checkRequest($this->request)) {
|
||||
return $this->httpError(400);
|
||||
}
|
||||
|
||||
// passed via the ajax
|
||||
$parent = (isset($_REQUEST['Parent'])) ? $_REQUEST['Parent'] : false;
|
||||
|
||||
|
|
|
|||
|
|
@ -239,13 +239,13 @@
|
|||
var options = $(this).parent("li");
|
||||
var action = userforms.appendToURL($("#Form_EditForm").attr("action"), '/field/Fields/addoptionfield');
|
||||
var parent = $(this).attr("rel");
|
||||
var securityID = ($("input[name=SecurityID]").length > 0) ? $("input[name=SecurityID]").first().attr("value") : '';
|
||||
|
||||
// send ajax request to the page
|
||||
$.ajax({
|
||||
type: "GET",
|
||||
url: action,
|
||||
data: 'Parent='+ parent,
|
||||
|
||||
data: 'Parent='+ parent +'&SecurityID='+securityID,
|
||||
// create a new field
|
||||
success: function(msg){
|
||||
options.before(msg);
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@
|
|||
<% end_loop %>
|
||||
</select>
|
||||
|
||||
<input type="hidden" name="SecurityID" value="$SecurityID" />
|
||||
<input type="submit" class="action" value="<% _t('ADD', 'Add') %>" />
|
||||
</div>
|
||||
<% end_if %>
|
||||
|
|
|
|||
Loading…
Reference in New Issue