Addition of block token to ensure json block rendering is only available to those... 7.x-3.0-beta6
authorChris Johnson
Wed, 19 Dec 2012 01:06:45 +0000 (20:06 -0500)
committerChris Johnson
Wed, 19 Dec 2012 01:06:45 +0000 (20:06 -0500)
plugins/context_reaction_block.inc
plugins/context_reaction_block.js
theme/context_reaction_block.theme.inc

index afc4f08..c14aa98 100644 (file)
@@ -640,6 +640,11 @@ class context_reaction_block extends context_reaction {
     if (strpos($param, ',') !== FALSE) {
       list($bid, $context) = explode(',', $param);
       list($module, $delta) = explode('-', $bid, 2);
+      // Check token to make sure user has access to block.
+      if (empty($_GET['context_token']) || $_GET['context_token'] != drupal_get_token($bid)) {
+        echo drupal_json_encode(array('status' => 0));
+        exit;
+      }
 
       // Ensure $bid is valid.
       $info = $this->get_blocks();
index 05f1147..b51e2f3 100644 (file)
@@ -327,6 +327,11 @@ DrupalContextBlockEditor.prototype = {
       // Construct query params for our AJAX block request.
       var params = Drupal.settings.contextBlockEditor.params;
       params.context_block = bid + ',' + context;
+      if (!Drupal.settings.contextBlockEditor.block_tokens || !Drupal.settings.contextBlockEditor.block_tokens[bid]) {
+        alert(Drupal.t('An error occurred trying to retrieve block content. Please contact a site administer.'));
+        return;
+     }
+     params.context_token = Drupal.settings.contextBlockEditor.block_tokens[bid];
 
       // Replace item with loading block.
       //ui.sender.append(ui.item);
index b794342..c103bab 100644 (file)
@@ -120,6 +120,11 @@ function template_preprocess_context_block_browser(&$vars) {
  * Preprocessor for theme('context_block_browser_item').
  */
 function template_preprocess_context_block_browser_item(&$vars) {
+  static $added = array();
   $vars['bid'] = $vars['block']->bid;
   $vars['info'] = check_plain($vars['block']->info);
+  if (empty($added[$vars['bid']])) {
+    drupal_add_js(array('contextBlockEditor' => array('block_tokens' => array($vars['bid'] => drupal_get_token($vars['bid'])))), 'setting');
+    $added[$vars['bid']] = TRUE;
+  }
 }