Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

API CHANGE Added security token to TableListField->Link() in order to…

… include it in all URL actions automatically. This ensures that field actions bypassing Form->httpSubmission() still get CSRF protection (from r113275)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@114528 467b73ca-7a2a-4603-9d3b-597d59a354a9
  • Loading branch information...
commit 5c0b2182aec89de68327813f29871eeca9421188 1 parent c63b00f
@sminnee sminnee authored
Showing with 26 additions and 1 deletion.
  1. +26 −1 forms/TableListField.php
View
27 forms/TableListField.php
@@ -1178,6 +1178,28 @@ function CurrentLink() {
return $link;
}
+
+ /**
+ * Overloaded to automatically add security token.
+ *
+ * @param String $action
+ * @return String
+ */
+ function Link($action = null) {
+ $form = $this->getForm();
+ if($form) {
+ $token = $form->getSecurityToken();
+ $parentUrlParts = parse_url(parent::Link($action));
+ $queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
+ // Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
+ if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
+ return Controller::join_links($parentUrlParts['path'], $action, $queryPart);
+ } else {
+ // allow for instanciation of this FormField outside of a controller/form
+ // context (e.g. for unit tests)
+ return false;
+ }
+ }
function BaseLink() {
user_error("TableListField::BaseLink() deprecated, use Link() instead", E_USER_NOTICE);
@@ -1414,9 +1436,12 @@ function Can($mode) {
}
function Link($action = null) {
- if($this->parent->getForm()) {
+ $form = $this->parent->getForm();
+ if($form) {
$parentUrlParts = parse_url($this->parent->Link());
$queryPart = (isset($parentUrlParts['query'])) ? '?' . $parentUrlParts['query'] : null;
+ // Ensure that URL actions not routed through Form->httpSubmission() are protected against CSRF attacks.
+ if($form->securityTokenEnabled()) $queryPart = $token->addtoUrl($queryPart);
return Controller::join_links($parentUrlParts['path'], 'item', $this->item->ID, $action, $queryPart);
} else {
// allow for instanciation of this FormField outside of a controller/form
Please sign in to comment.
Something went wrong with that request. Please try again.