[SS-2015-029] FIX Add CSFR protection to tree reorganise

silverstripe · Apr 18, 2016 · 3c0f2e8 · 3c0f2e8
1 parent 1f820b0
commit 3c0f2e8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/admin/code/LeftAndMain.php b/admin/code/LeftAndMain.php
@@ -1046,6 +1046,9 @@ public function delete($data, $form) {
 	 * @return SS_HTTPResponse JSON string with a 
 	 */
 	public function savetreenode($request) {
+		if (!SecurityToken::inst()->checkRequest($request)) {
+			return $this->httpError(400);
+		}
 		if (!Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN')) {
 			$this->response->setStatusCode(
 				403,

diff --git a/admin/javascript/LeftAndMain.Tree.js b/admin/javascript/LeftAndMain.Tree.js
@@ -97,7 +97,10 @@
 							});
 
 							$.ajax({
-								'url': self.data('urlSavetreenode'),
+								'url': $.path.addSearchParams(
+									self.data('urlSavetreenode'),
+									self.data('extraParams')
+								),
 								'type': 'POST',
 								'data': {
 									ID: nodeID,