- Patch #644648 by sun: cleaned up, documented, and corrected some ['#token'] code.

3 files changed, 17 insertions, 15 deletions

diff --git a/includes/form.inc b/includes/form.inc
index 394345e38..47d8c9908 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -688,22 +688,26 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
   // authenticated users. This ensures that any submitted form was actually
   // requested previously by the user and protects against cross site request
   // forgeries.
-  if (isset($form['#token'])) {
-    if ($form['#token'] === FALSE || $user->uid == 0 || $form_state['programmed']) {
+  // This does not apply to programmatically submitted forms. Furthermore, since
+  // tokens are session-bound and forms displayed to anonymous users are very
+  // likely cached, we cannot assign a token for them.
+  // During installation, there is no $user yet.
+  if (!empty($user->uid) && !$form_state['programmed']) {
+    // Form constructors may explicitly set #token to FALSE when cross site
+    // request forgery is irrelevant to the form, such as search forms.
+    if (isset($form['#token']) && $form['#token'] === FALSE) {
       unset($form['#token']);
     }
+    // Otherwise, generate a public token based on the form id.
     else {
-      $form['form_token'] = array('#type' => 'token', '#default_value' => drupal_get_token($form['#token']));
+      $form['#token'] = $form_id;
+      $form['form_token'] = array(
+        '#id' => drupal_html_id('edit-' . $form_id . '-form-token'),
+        '#type' => 'token',
+        '#default_value' => drupal_get_token($form['#token']),
+      );
     }
   }
-  elseif (isset($user->uid) && $user->uid && !$form_state['programmed']) {
-    $form['#token'] = $form_id;
-    $form['form_token'] = array(
-      '#id' => drupal_html_id('edit-' . $form_id . '-form-token'),
-      '#type' => 'token',
-      '#default_value' => drupal_get_token($form['#token']),
-    );
-  }
 
   if (isset($form_id)) {
     $form['form_id'] = array(
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 18e0e67d0..9f018dba8 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -1845,7 +1845,7 @@ function comment_form($form, &$form_state, $comment) {
   $form['submit'] = array(
     '#type' => 'submit',
     '#value' => t('Save'),
-    '#access' => variable_get('comment_preview_' . $node->type, DRUPAL_OPTIONAL) != DRUPAL_REQUIRED || (!form_get_errors() && isset($form_state['comment_preview'])),
+    '#access' => ($comment->cid && user_access('administer comments')) || variable_get('comment_preview_' . $node->type, DRUPAL_OPTIONAL) != DRUPAL_REQUIRED || (!form_get_errors() && isset($form_state['comment_preview'])),
     '#weight' => 19,
   );
   $form['preview'] = array(
diff --git a/modules/contact/contact.pages.inc b/modules/contact/contact.pages.inc
index fcf3d6e2e..3dd4c3e47 100644
--- a/modules/contact/contact.pages.inc
+++ b/modules/contact/contact.pages.inc
@@ -61,7 +61,6 @@ function contact_site_form($form, &$form_state) {
     $form['#attributes']['class'][] = 'user-info-from-cookie';
   }
 
-  $form['#token'] = $user->uid ? $user->name . $user->mail : '';
   $form['name'] = array(
     '#type' => 'textfield',
     '#title' => t('Your name'),
@@ -171,7 +170,7 @@ function contact_site_form_submit($form, &$form_state) {
  * @see contact_personal_form_validate()
  * @see contact_personal_form_submit()
  */
-function contact_personal_form($form, &$form_state, stdClass $recipient) {
+function contact_personal_form($form, &$form_state, $recipient) {
   global $user;
 
   // Check if flood control has been activated for sending e-mails.
@@ -190,7 +189,6 @@ function contact_personal_form($form, &$form_state, stdClass $recipient) {
     $form['#attributes']['class'][] = 'user-info-from-cookie';
   }
 
-  $form['#token'] = $user->uid ? $user->name . $user->mail : '';
   $form['recipient'] = array(
     '#type' => 'value',
     '#value' => $recipient,