3 files changed, 20 insertions, 6 deletions

diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php
index 7d594dc04..b2463ed3f 100644
--- a/lib/exe/ajax.php
+++ b/lib/exe/ajax.php
@@ -123,11 +123,22 @@ function ajax_suggestions() {
 function ajax_lock(){
     global $conf;
     global $lang;
-    $id = cleanID($_POST['id']);
-    if(empty($id)) return;
+    global $ID;
+    global $INFO;
+
+    $ID = cleanID($_POST['id']);
+    if(empty($ID)) return;
+    if (!checkSecurityToken()) return;
+
+    $INFO = pageinfo();
+
+    if (!$INFO['writable']) {
+        echo 'Permission denied';
+        return;
+    }
 
-    if(!checklock($id)){
-        lock($id);
+    if(!checklock($ID)){
+        lock($ID);
         echo 1;
     }
 
@@ -135,14 +146,14 @@ function ajax_lock(){
         $client = $_SERVER['REMOTE_USER'];
         if(!$client) $client = clientIP(true);
 
-        $draft = array('id'     => $id,
+        $draft = array('id'     => $ID,
                 'prefix' => substr($_POST['prefix'], 0, -1),
                 'text'   => $_POST['wikitext'],
                 'suffix' => $_POST['suffix'],
                 'date'   => (int) $_POST['date'],
                 'client' => $client,
                 );
-        $cname = getCacheName($draft['client'].$id,'.draft');
+        $cname = getCacheName($draft['client'].$ID,'.draft');
         if(io_saveFile($cname,serialize($draft))){
             echo $lang['draftdate'].' '.dformat();
         }
@@ -158,6 +169,7 @@ function ajax_lock(){
 function ajax_draftdel(){
     $id = cleanID($_REQUEST['id']);
     if(empty($id)) return;
+    if (!checkSecurityToken()) return;
 
     $client = $_SERVER['REMOTE_USER'];
     if(!$client) $client = clientIP(true);
diff --git a/lib/scripts/edit.js b/lib/scripts/edit.js
index a96a346dc..31afcc126 100644
--- a/lib/scripts/edit.js
+++ b/lib/scripts/edit.js
@@ -275,6 +275,7 @@ function deleteDraft() {
     if(dwform){
         var params = 'call=draftdel';
         params += '&id='+encodeURIComponent(dwform.elements.id.value);
+        params += '&sectok='+encodeURIComponent(dwform.elements.sectok.value);
 
         var sackobj = new sack(DOKU_BASE + 'lib/exe/ajax.php');
         // this needs to be synchronous and GET to not be aborted upon page unload
diff --git a/lib/scripts/locktimer.js b/lib/scripts/locktimer.js
index 0db7d2b15..5335e228f 100644
--- a/lib/scripts/locktimer.js
+++ b/lib/scripts/locktimer.js
@@ -73,6 +73,7 @@ var locktimer = {
         if(now.getTime() - locktimer.lasttime.getTime() > 30*1000){
             var params = 'call=lock&id='+encodeURIComponent(locktimer.pageid);
             var dwform = $('dw__editform');
+            params += '&sectok='+encodeURIComponent(dwform.elements.sectok.value);
             if(locktimer.draft && dwform.elements.wikitext){
                 params += '&prefix='+encodeURIComponent(dwform.elements.prefix.value);
                 params += '&wikitext='+encodeURIComponent(dwform.elements.wikitext.value);