diff options
author | Dries Buytaert <dries@buytaert.net> | 2009-12-14 13:51:57 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2009-12-14 13:51:57 +0000 |
commit | 527a054952f48b350641b82f4bd6d37390b54d0a (patch) | |
tree | 0e4ca56524bba92ce492257ecfaa712d443234ae /includes | |
parent | 516d24d1cd880c9ee6ccab195fd50d90c6f74e13 (diff) | |
download | brdo-527a054952f48b350641b82f4bd6d37390b54d0a.tar.gz brdo-527a054952f48b350641b82f4bd6d37390b54d0a.tar.bz2 |
- Patch #644648 by sun: cleaned up, documented, and corrected some ['#token'] code.
Diffstat (limited to 'includes')
-rw-r--r-- | includes/form.inc | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/includes/form.inc b/includes/form.inc index 394345e38..47d8c9908 100644 --- a/includes/form.inc +++ b/includes/form.inc @@ -688,22 +688,26 @@ function drupal_prepare_form($form_id, &$form, &$form_state) { // authenticated users. This ensures that any submitted form was actually // requested previously by the user and protects against cross site request // forgeries. - if (isset($form['#token'])) { - if ($form['#token'] === FALSE || $user->uid == 0 || $form_state['programmed']) { + // This does not apply to programmatically submitted forms. Furthermore, since + // tokens are session-bound and forms displayed to anonymous users are very + // likely cached, we cannot assign a token for them. + // During installation, there is no $user yet. + if (!empty($user->uid) && !$form_state['programmed']) { + // Form constructors may explicitly set #token to FALSE when cross site + // request forgery is irrelevant to the form, such as search forms. + if (isset($form['#token']) && $form['#token'] === FALSE) { unset($form['#token']); } + // Otherwise, generate a public token based on the form id. else { - $form['form_token'] = array('#type' => 'token', '#default_value' => drupal_get_token($form['#token'])); + $form['#token'] = $form_id; + $form['form_token'] = array( + '#id' => drupal_html_id('edit-' . $form_id . '-form-token'), + '#type' => 'token', + '#default_value' => drupal_get_token($form['#token']), + ); } } - elseif (isset($user->uid) && $user->uid && !$form_state['programmed']) { - $form['#token'] = $form_id; - $form['form_token'] = array( - '#id' => drupal_html_id('edit-' . $form_id . '-form-token'), - '#type' => 'token', - '#default_value' => drupal_get_token($form['#token']), - ); - } if (isset($form_id)) { $form['form_id'] = array( |