Addition of block token to ensure json block rendering is only available to those... 6.x-3.1
authorFox
Wed, 19 Dec 2012 17:49:48 +0000 (09:49 -0800)
committerFox
Wed, 19 Dec 2012 17:49:48 +0000 (09:49 -0800)
plugins/context_reaction_block.inc
plugins/context_reaction_block.js
theme/context_reaction_block.theme.inc

index ad3236e..6293210 100644 (file)
@@ -561,7 +561,7 @@ class context_reaction_block extends context_reaction {
     }
 
     foreach ($headers as $header) {
-      if ($header == "HTTP/1.1 404 Not Found" || $header == "HTTP/1.1 403 Forbidden") {
+      if (strpos($header, "404 Not Found") !== FALSE || strpos($header, "403 Forbidden") !== FALSE) {
         return;
       }
     }
@@ -572,6 +572,11 @@ class context_reaction_block extends context_reaction {
     if (strpos($param, ',') !== FALSE) {
       list($bid, $context) = explode(',', $param);
       list($module, $delta) = explode('-', $bid, 2);
+      // Check token to make sure user has access to block.
+      if (empty($_GET['context_token']) || $_GET['context_token'] != drupal_get_token($bid)) {
+        echo drupal_to_js(array('status' => 0));
+        exit;
+      }
 
       // Ensure $bid is valid.
       $info = $this->get_blocks();
index 67e2031..8a937e2 100644 (file)
@@ -242,6 +242,11 @@ DrupalContextBlockEditor.prototype.addBlock = function(event, ui, editor, contex
     // Construct query params for our AJAX block request.
     var params = Drupal.settings.contextBlockEditor.params;
     params.context_block = bid + ',' + context;
+    if (!Drupal.settings.contextBlockEditor.block_tokens || !Drupal.settings.contextBlockEditor.block_tokens[bid]) {
+      alert(Drupal.t('An error occurred trying to retrieve block content. Please contact a site administer.'));
+      return;
+    }
+    params.context_token = Drupal.settings.contextBlockEditor.block_tokens[bid];
 
     // Replace item with loading block.
     var blockLoading = $('<div class="context-block-item context-block-loading"><span class="icon"></span></div>');
index 85992ec..b5c2813 100644 (file)
@@ -91,8 +91,13 @@ function template_preprocess_context_block_browser(&$vars) {
  * Preprocessor for theme('context_block_browser_item').
  */
 function template_preprocess_context_block_browser_item(&$vars) {
+  static $added = array();
   $vars['bid'] = $vars['block']->bid;
   $vars['info'] = check_plain($vars['block']->info);
+  if (empty($added[$vars['bid']])) {
+    drupal_add_js(array('contextBlockEditor' => array('block_tokens' => array($vars['bid'] => drupal_get_token($vars['bid'])))), 'setting');
+    $added[$vars['bid']] = TRUE;
+  }
 }
 
 /**