tonyair/silverstripe-userforms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-userforms.git synced 2024-10-22 15:05:42 +00:00
Code Issues Projects Releases Wiki Activity

FIX: Check security ID on admin non form links (Fixes #158)

Browse Source
This commit is contained in:
Will Rossiter 2013-09-04 23:34:21 +12:00
parent b2b030366b
commit 9b134f1a78
3 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
code/formfields/FieldEditor.php
View File

@ -176,6 +176,10 @@ class FieldEditor extends FormField {
* @return bool|html * @return bool|html
*/ */
public function addfield() { public function addfield() {
if(!SecurityToken::inst()->checkRequest($this->request)) {
return $this->httpError(400);
}
// get the last field in this form editor // get the last field in this form editor
$parentID = $this->form->getRecord()->ID; $parentID = $this->form->getRecord()->ID;
@ -217,6 +221,10 @@ class FieldEditor extends FormField {
* @return bool|html * @return bool|html
*/ */
public function addoptionfield() { public function addoptionfield() {
if(!SecurityToken::inst()->checkRequest($this->request)) {
return $this->httpError(400);
}
// passed via the ajax // passed via the ajax
$parent = (isset($_REQUEST['Parent'])) ? $_REQUEST['Parent'] : false; $parent = (isset($_REQUEST['Parent'])) ? $_REQUEST['Parent'] : false;

4
javascript/UserForm.js
View File

@ -239,13 +239,13 @@
var options = $(this).parent("li"); var options = $(this).parent("li");
var action = userforms.appendToURL($("#Form_EditForm").attr("action"), '/field/Fields/addoptionfield'); var action = userforms.appendToURL($("#Form_EditForm").attr("action"), '/field/Fields/addoptionfield');
var parent = $(this).attr("rel"); var parent = $(this).attr("rel");
var securityID = ($("input[name=SecurityID]").length > 0) ? $("input[name=SecurityID]").first().attr("value") : '';
// send ajax request to the page // send ajax request to the page
$.ajax({ $.ajax({
type: "GET", type: "GET",
url: action, url: action,
data: 'Parent='+ parent, data: 'Parent='+ parent +'&SecurityID='+securityID,
// create a new field // create a new field
success: function(msg){ success: function(msg){
options.before(msg); options.before(msg);

1
templates/FieldEditor.ss
View File

@ -23,6 +23,7 @@
<% end_loop %> <% end_loop %>
</select> </select>
<input type="hidden" name="SecurityID" value="$SecurityID" />
<input type="submit" class="action" value="<% _t('ADD', 'Add') %>" /> <input type="submit" class="action" value="<% _t('ADD', 'Add') %>" />
</div> </div>
<% end_if %> <% end_if %>