From 31bc8f119cd896f19085ea120b89356393d4f8e6 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Tue, 24 May 2011 22:38:27 +0200
Subject: Check permissions + security token in lock + draft modification
 FS#2265

This disables lock and draft creation for pages the user can't edit. It
additionally adds a security token to the draft creation and deletion
request so - at least for logged in users - drafts can't be created,
modified or deleted so easily anymore.
---
 lib/scripts/edit.js      | 1 +
 lib/scripts/locktimer.js | 1 +
 2 files changed, 2 insertions(+)

(limited to 'lib/scripts')

diff --git a/lib/scripts/edit.js b/lib/scripts/edit.js
index a96a346dc..31afcc126 100644
--- a/lib/scripts/edit.js
+++ b/lib/scripts/edit.js
@@ -275,6 +275,7 @@ function deleteDraft() {
     if(dwform){
         var params = 'call=draftdel';
         params += '&id='+encodeURIComponent(dwform.elements.id.value);
+        params += '&sectok='+encodeURIComponent(dwform.elements.sectok.value);
 
         var sackobj = new sack(DOKU_BASE + 'lib/exe/ajax.php');
         // this needs to be synchronous and GET to not be aborted upon page unload
diff --git a/lib/scripts/locktimer.js b/lib/scripts/locktimer.js
index 0db7d2b15..5335e228f 100644
--- a/lib/scripts/locktimer.js
+++ b/lib/scripts/locktimer.js
@@ -73,6 +73,7 @@ var locktimer = {
         if(now.getTime() - locktimer.lasttime.getTime() > 30*1000){
             var params = 'call=lock&id='+encodeURIComponent(locktimer.pageid);
             var dwform = $('dw__editform');
+            params += '&sectok='+encodeURIComponent(dwform.elements.sectok.value);
             if(locktimer.draft && dwform.elements.wikitext){
                 params += '&prefix='+encodeURIComponent(dwform.elements.prefix.value);
                 params += '&wikitext='+encodeURIComponent(dwform.elements.wikitext.value);
-- 
cgit v1.2.3