Added csrf verification to show image upload and deletion
This commit is contained in:
Duncan Sommerville
parent
f1a311dad6
commit
17d51eb0f9
|
|
@ -79,7 +79,7 @@ class Application_Form_AddShowStyle extends Zend_Form_SubForm
|
|||
->addValidator('Count', false, 1)
|
||||
->addValidator('Extension', false, 'jpg,jpeg,png,gif')
|
||||
->addFilter('ImageSize');
|
||||
|
||||
|
||||
$this->addElement($upload);
|
||||
|
||||
// Add image preview
|
||||
|
|
@ -93,6 +93,14 @@ class Application_Form_AddShowStyle extends Zend_Form_SubForm
|
|||
'class' => 'big'
|
||||
))));
|
||||
$preview->setAttrib('disabled','disabled');
|
||||
|
||||
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
|
||||
$csrf_element = new Zend_Form_Element_Hidden('csrf');
|
||||
$csrf_element->setValue($csrf_namespace->authtoken)
|
||||
->setRequired('true')
|
||||
->removeDecorator('HtmlTag')
|
||||
->removeDecorator('Label');
|
||||
$this->addElement($csrf_element);
|
||||
}
|
||||
|
||||
public function disable()
|
||||
|
|
|
|||
|
|
@ -668,7 +668,7 @@ function setAddShowEvents(form) {
|
|||
var showId = $("#add_show_id").attr("value");
|
||||
|
||||
if (showId && $("#add_show_logo_current").attr("src") !== "") {
|
||||
var action = '/rest/show-image?id=' + showId;
|
||||
var action = '/rest/show-image?csrf_token=' + $('#csrf').val() + '&id=' + showId;
|
||||
|
||||
$.ajax({
|
||||
url: action,
|
||||
|
|
@ -748,7 +748,7 @@ function setAddShowEvents(form) {
|
|||
data: {format: "json", data: data, hosts: hosts, days: days},
|
||||
success: function(json) {
|
||||
if (json.showId && image) { // Successfully added the show, and it contains an image to upload
|
||||
var imageAction = '/rest/show-image?id=' + json.showId;
|
||||
var imageAction = '/rest/show-image?csrf_token=' + $('#csrf').val() + '&id=' + json.showId;
|
||||
|
||||
// perform a second xhttprequest in order to send the show image
|
||||
$.ajax({
|
||||
|
|
|
|||
Loading…
Reference in New Issue