SA-CONTRIB-2019-32.patch 1.35 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
diff --git a/uc_taxes/uc_taxes.admin.inc b/uc_taxes/uc_taxes.admin.inc
index 474835dd..e08304a4 100644
--- a/uc_taxes/uc_taxes.admin.inc
+++ b/uc_taxes/uc_taxes.admin.inc
@@ -11,6 +11,8 @@
 function uc_taxes_admin_settings() {
   $rows = array();
 
+  $options = array('query' => array('token' => drupal_get_token('uc_taxes_clone')));
+
   $header = array(t('Name'), t('Rate'), t('Taxed products'), t('Taxed product types'), t('Taxed line items'), t('Weight'), 'data' => t('Operations'));
 
   // Loop through all the defined tax rates.
@@ -19,7 +21,7 @@ function uc_taxes_admin_settings() {
     $ops = array(
        l(t('edit'), 'admin/store/settings/taxes/'. $rate_id .'/edit'),
        l(t('conditions'), CA_UI_PATH .'/uc_taxes_'. $rate_id .'/edit/conditions'),
-       l(t('clone'), 'admin/store/settings/taxes/'. $rate_id .'/clone'),
+       l(t('clone'), 'admin/store/settings/taxes/' . $rate_id .'/clone', $options),
        l(t('delete'), 'admin/store/settings/taxes/'. $rate_id .'/delete'),
     );
 
@@ -199,6 +201,10 @@ function uc_taxes_form_submit($form, &$form_state) {
  * Clones a tax rate.
  */
 function uc_taxes_clone($rate_id) {
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'uc_taxes_clone')) {
+    return MENU_ACCESS_DENIED;
+  }
+
   // Load the source rate object.
   $rate = uc_taxes_rate_load($rate_id);
   $name = $rate->name;