From 9b134f1a7806368900f8eef0694df5778ceb34a4 Mon Sep 17 00:00:00 2001 From: Will Rossiter Date: Wed, 4 Sep 2013 23:34:21 +1200 Subject: [PATCH] FIX: Check security ID on admin non form links (Fixes #158) --- code/formfields/FieldEditor.php | 8 ++++++++ javascript/UserForm.js | 4 ++-- templates/FieldEditor.ss | 1 + 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/code/formfields/FieldEditor.php b/code/formfields/FieldEditor.php index 8db3c75..503ad2f 100755 --- a/code/formfields/FieldEditor.php +++ b/code/formfields/FieldEditor.php @@ -176,6 +176,10 @@ class FieldEditor extends FormField { * @return bool|html */ public function addfield() { + if(!SecurityToken::inst()->checkRequest($this->request)) { + return $this->httpError(400); + } + // get the last field in this form editor $parentID = $this->form->getRecord()->ID; @@ -217,6 +221,10 @@ class FieldEditor extends FormField { * @return bool|html */ public function addoptionfield() { + if(!SecurityToken::inst()->checkRequest($this->request)) { + return $this->httpError(400); + } + // passed via the ajax $parent = (isset($_REQUEST['Parent'])) ? $_REQUEST['Parent'] : false; diff --git a/javascript/UserForm.js b/javascript/UserForm.js index 7255c27..1b3b20a 100644 --- a/javascript/UserForm.js +++ b/javascript/UserForm.js @@ -239,13 +239,13 @@ var options = $(this).parent("li"); var action = userforms.appendToURL($("#Form_EditForm").attr("action"), '/field/Fields/addoptionfield'); var parent = $(this).attr("rel"); + var securityID = ($("input[name=SecurityID]").length > 0) ? $("input[name=SecurityID]").first().attr("value") : ''; // send ajax request to the page $.ajax({ type: "GET", url: action, - data: 'Parent='+ parent, - + data: 'Parent='+ parent +'&SecurityID='+securityID, // create a new field success: function(msg){ options.before(msg); diff --git a/templates/FieldEditor.ss b/templates/FieldEditor.ss index 3fc61a1..79bbd56 100755 --- a/templates/FieldEditor.ss +++ b/templates/FieldEditor.ss @@ -23,6 +23,7 @@ <% end_loop %> + <% end_if %>