add CSRF protection token

plone · Feb 26, 2015 · d37d552 · d37d552
1 parent 265fc25
commit d37d552
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -7,6 +7,8 @@ Changelog
 - Update markup and javscript for Plone 5.
   [davisagli]
 
+- Add CSRF protection token
+  [ebrehault]
 
 2.0.1 (2014-10-23)
 ------------------

diff --git a/plone/schemaeditor/browser/schema/schema_listing.pt b/plone/schemaeditor/browser/schema/schema_listing.pt
@@ -16,6 +16,7 @@
 
   <metal:form metal:use-macro="context/@@ploneform-macros/form">
     <metal:top-slot metal:fill-slot="formtop">
+      <input tal:replace="structure context/@@authenticator/authenticator" />
       <script type="text/javascript"
               tal:attributes="src context/++resource++schemaeditor.js"></script>
       <style type="text/css">

diff --git a/plone/schemaeditor/browser/schema/schemaeditor.js b/plone/schemaeditor/browser/schema/schemaeditor.js
@@ -139,20 +139,26 @@
             if (!confirm(trigger.attr('data-confirm_msg'))) {
                 return;
             }
-            $.post(trigger.attr('href'), null, function (data) {
+            $.post(trigger.attr('href'), {
+                _authenticator: $('input[name="_authenticator"]').val(),
+            }, function (data) {
                 trigger.closest('.fieldPreview').detach();
             }, 'text');
         });
         // reorder fields and change fieldsets
         $('.fieldPreview.orderable').plone_schemaeditor_html5_sortable(function (position, fieldset_index) {
             var url = window.location.href.replace('/@@fields', '') + '/' + this.attr('data-field_id') + '/@@order';
             $.post(url, {
+                _authenticator: $('input[name="_authenticator"]').val(),
                 pos: position,
                 fieldset_index: fieldset_index
             });
         }, function (fieldset_index) {
             var url = window.location.href.replace('/@@fields', '') + '/' + this.attr('data-field_id') + '/@@changefieldset';
-            $.post(url, { fieldset_index: fieldset_index });
+            $.post(url, {
+                _authenticator: $('input[name="_authenticator"]').val(),
+                fieldset_index: fieldset_index
+            });
         });
         set_id_from_title = function () {
             var id = $.plone_schemaeditor_normalize_string($(this).val());