Fixed ajax callbacks.
authorMatthias Hutterer
Wed, 20 Feb 2013 09:13:50 +0000 (10:13 +0100)
committerMatthias Hutterer
Wed, 20 Feb 2013 09:13:50 +0000 (10:13 +0100)
js/doubleTree.js
js/termData.js
js/tree.js
js/updateWeight.js
taxonomy_manager.admin.inc

index ff04909..ea94d34 100644 (file)
@@ -11,6 +11,8 @@ Drupal.DoubleTree = function(tree1, tree2) {
   this.updateWholeTree = false;
   this.url = Drupal.settings.DoubleTree['url'];
   this.param = new Object();
+  this.param['form_id'] = $(':input[name="form_id"]').val();
+  this.param['form_token'] = $(':input[name="form_token"]').val();
 
   this.attachOperations();
 }
@@ -23,7 +25,6 @@ Drupal.DoubleTree.prototype.attachOperations = function() {
   $('#taxonomy-manager-double-tree-operations :input').click(function() {
     doubleTree.selected_terms = new Array();
     doubleTree.selected_parents = new Array();
-    doubleTree.param = new Object();
 
     var button_value = $(this).val();
     doubleTree.param['op'] = 'move';
index 2d29ac5..5e9d756 100644 (file)
@@ -100,6 +100,9 @@ Drupal.TermData = function(tid, href, li, tree) {
   this.tree = tree
   this.form_build_id = tree.form_build_id;
   this.form_id = tree.form_id;
+  this.param = new Object();
+  this.param['form_id'] = tree.form_id;
+  this.param['form_token'] = tree.form_token;
   this.vid = tree.vocId;
   this.div = $('#taxonomy-term-data');
 }
@@ -111,11 +114,8 @@ Drupal.TermData = function(tid, href, li, tree) {
 Drupal.TermData.prototype.load = function() {
   var url = this.href;
   var termdata = this;
-  var param = new Object();
-  param['form_build_id'] = this.form_build_id;
-  param['form_id'] = this.form_id;
 
-  $.get(url, param, function(data) {
+  $.get(url, this.param, function(data) {
     termdata.insertForm(data);
   });
 }
@@ -133,7 +133,6 @@ Drupal.TermData.prototype.insertForm = function(data) {
  */
 Drupal.TermData.prototype.form = function() {
   var termdata = this;
-  this.param = new Object();
 
   try {
     Drupal.behaviors.textarea(this.div);
index be8dcd9..35b6a36 100755 (executable)
@@ -49,8 +49,9 @@ Drupal.TaxonomyManagerTree = function(id, vid) {
   this.ul = $(this.div).children();
 
   this.form = $(this.div).parents('form');
-  this.form_build_id = $(this.form).children().children(':input[name="form_build_id"]').val();
-  this.form_id = $(this.form).children().children(' :input[name="form_id"]').val();
+  this.form_build_id = $(this.form).find(':input[name="form_build_id"]').val();
+  this.form_id = $(this.form).find(' :input[name="form_id"]').val();
+  this.form_token = $(this.form).find(' :input[name="form_token"]').val();
   this.language = this.getLanguage();
   this.treeId = id;
   this.vocId = vid;
index ad67eda..f59e788 100644 (file)
@@ -4,12 +4,14 @@
  */
 
 //object to store weights (tid => weight)
-var weights = new Object();
+var termWeightsData = new Object();
 
 Drupal.behaviors.TaxonomyManagerWeights = function(context) {
   var settings = Drupal.settings.updateWeight || [];
   if (!$('#taxonomy-manager-toolbar' + '.tm-weights-processed').size()) {
     $('#taxonomy-manager-toolbar').addClass('tm-weights-processed');
+    termWeightsData['form_token'] = $('input[name=form_token]').val();
+    termWeightsData['form_id'] = $('input[name=form_id]').val();
     Drupal.attachUpdateWeightToolbar(settings['up'], settings['down']);
     Drupal.attachUpdateWeightTerms();
   }
@@ -32,7 +34,7 @@ Drupal.attachUpdateWeightToolbar = function(upButton, downButton) {
       Drupal.orderTerms(upTerm, downTerm);
     }
     if (selected.length > 0) {
-      $.post(url, weights);
+      $.post(url, termWeightsData);
     }
   });
 
@@ -46,7 +48,7 @@ Drupal.attachUpdateWeightToolbar = function(upButton, downButton) {
       Drupal.orderTerms(upTerm, downTerm);
     }
     if (selected.length > 0) {
-      $.post(url, weights);
+      $.post(url, termWeightsData);
     }
   });
 }
@@ -88,7 +90,7 @@ Drupal.attachUpdateWeightTerms = function(parent, currentIndex) {
       var downTerm = $(upTerm).prev();
 
       Drupal.orderTerms(upTerm, downTerm);
-      $.post(url, weights);
+      $.post(url, termWeightsData);
 
       $(downTerm).find(termLineClass).unbind('mouseover');
       setTimeout(function() {
@@ -106,7 +108,7 @@ Drupal.attachUpdateWeightTerms = function(parent, currentIndex) {
       var upTerm = $(downTerm).next();
 
       Drupal.orderTerms(upTerm, downTerm);
-      $.post(url, weights);
+      $.post(url, termWeightsData);
 
       $(upTerm).find(termLineClass).unbind('mouseover');
       setTimeout(function() {
@@ -176,12 +178,12 @@ Drupal.swapWeights = function(upTerm, downTerm) {
 
   //same weight, decrease upTerm
   if (upWeight == downWeight) {
-    weights[upTid] = --upWeight;
+    termWeightsData['weights['+ upTid +']'] = --upWeight;
   }
   //different weights, swap
   else {
-    weights[upTid] = downWeight;
-    weights[downTid] = upWeight;
+    termWeightsData['weights['+ upTid +']'] = downWeight;
+    termWeightsData['weights['+ downTid +']'] = upWeight;
   }
 
   //update prev siblings if necessary
@@ -190,7 +192,7 @@ Drupal.swapWeights = function(upTerm, downTerm) {
       $(upTerm).prevAll().each(function() {
         var id = Drupal.getTermId(this);
         var weight = Drupal.getWeight(this);
-        weights[id] = --weight;
+        termWeightsData['weights['+ id +']'] = --weight;
       });
     }
   } catch(e) {
@@ -203,7 +205,7 @@ Drupal.swapWeights = function(upTerm, downTerm) {
       $(downTerm).nextAll().each(function() {
         var id = Drupal.getTermId(this);
         var weight = Drupal.getWeight(this);
-        weights[id] = ++weight;
+        termWeightsData['weights['+ id +']'] = ++weight;
       });
     }
   } catch(e) {
@@ -219,8 +221,8 @@ Drupal.getWeight = function(li) {
   var id = Drupal.getTermId(li);
   var weight;
 
-  if (weights[id] != null) {
-    weight = weights[id];
+  if (termWeightsData['weights['+ id +']'] != null) {
+    weight = termWeightsData['weights['+ id +']'];
   }
   else {
     weight = $(li).find("input:hidden[class=weight-form]").attr("value");
index 1358625..03615ea 100644 (file)
@@ -1555,12 +1555,33 @@ function taxonomy_manager_settings() {
 }
 
 /**
+ * Validates a custom AJAX callback by ensuring that the request contains a
+ * valid form token, which prevents CSRF.
+ *
+ * @param $submitted_data
+ *   An array containing the submitted data, usually $_POST. Needs to contain
+ *   form_token and form_id.
+ *
+ * @return
+ *   TRUE if a valid token is provided, else FALSE.
+ */
+function taxonomy_manager_valid_ajax_callback($submitted_data) {
+  if (isset($submitted_data['form_token']) && isset($submitted_data['form_id']) && drupal_valid_token($submitted_data['form_token'], $submitted_data['form_id'])) {
+    return TRUE;
+  }
+  return FALSE;
+}
+
+/**
  * callback handler for updating term data
  *
  * @param $vid
  */
 function taxonomy_manager_term_data_edit() {
   $param = $_POST;
+  if (!taxonomy_manager_valid_ajax_callback($param)) {
+    return;
+  }
 
   $msg = t("Changes successfully saved");
   $is_error_msg = FALSE;
@@ -1778,6 +1799,9 @@ function taxonomy_manager_term_data_edit() {
  */
 function taxonomy_manager_double_tree_edit() {
   $params = $_POST;
+  if (!taxonomy_manager_valid_ajax_callback($params)) {
+    return;
+  }
   $op = $params['op'];
 
   $msg = "";
@@ -2345,9 +2369,9 @@ function taxonomy_manager_autocomplete_search_terms($typed_input, $vid, $include
  *
  */
 function taxonomy_manager_update_weights() {
-  $weights = $_POST;
-  if (is_array($weights)) {
-    foreach ($weights as $tid => $weight) {
+  $submitted_data = $_POST;
+  if (taxonomy_manager_valid_ajax_callback($submitted_data) && is_array($submitted_data['weights'])) {
+    foreach ($submitted_data['weights'] as $tid => $weight) {
       if (is_numeric($tid) && is_numeric($weight)) {
         db_query("UPDATE {term_data} SET weight = %d WHERE tid = %d", $weight, $tid);
       }