Refs #1459: Added missing security tokens for failsafe (installation) view.

git-svn-id: http://code.elgg.org/elgg/trunk@3835 36083f99-b078-4883-b0ff-0f9b5a30f544

diff --git a/views/failsafe/input/form.php b/views/failsafe/input/form.php
index 33ddfc3ea8ba5ac8df03676d997d98ca6b2d7fd7..35e718adb84929e2465c9c1dc36db3ba3f9b3eb1 100644 (file)
--- a/views/failsafe/input/form.php
+++ b/views/failsafe/input/form.php
@@ -41,7 +41,13 @@ if (isset($vars['method'])) {
 
 $method = strtolower($method);
 
+// Generate a security header
+$security_header = "";
+if (!isset($vars['disable_security']) || $vars['disable_security'] != true) {
+       $security_header = elgg_view('input/securitytoken');
+}
 ?>
 <form <?php if ($id) { ?>id="<?php echo $id; ?>" <?php } ?> <?php if ($name) { ?>name="<?php echo $name; ?>" <?php } ?> action="<?php echo $action; ?>" method="<?php echo $method; ?>" <?php if ($enctype!="") echo "enctype=\"$enctype\""; ?>>
+<?php echo $security_header; ?>
 <?php echo $body; ?>
 </form>
\ No newline at end of file

diff --git a/views/failsafe/input/securitytoken.php b/views/failsafe/input/securitytoken.php
new file mode 100644 (file)
index 0000000..a2a4a0e
--- /dev/null
+++ b/views/failsafe/input/securitytoken.php
@@ -0,0 +1,17 @@
+<?php
+/**
+ * CSRF security token view for use with secure forms.
+ *
+ * It is still recommended that you use input/form.
+ *
+ * @package Elgg
+ * @subpackage Core
+ * @author Curverider Ltd
+ * @link http://elgg.org/
+ */
+
+$ts = time();
+$token = generate_action_token($ts);
+
+echo elgg_view('input/hidden', array('internalname' => '__elgg_token', 'value' => $token));
+echo elgg_view('input/hidden', array('internalname' => '__elgg_ts', 'value' => $ts));