Commit 527a0549 authored by Dries's avatar Dries

- Patch #644648 by sun: cleaned up, documented, and corrected some ['#token'] code.

parent 516d24d1
......@@ -688,22 +688,26 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
// authenticated users. This ensures that any submitted form was actually
// requested previously by the user and protects against cross site request
// forgeries.
if (isset($form['#token'])) {
if ($form['#token'] === FALSE || $user->uid == 0 || $form_state['programmed']) {
// This does not apply to programmatically submitted forms. Furthermore, since
// tokens are session-bound and forms displayed to anonymous users are very
// likely cached, we cannot assign a token for them.
// During installation, there is no $user yet.
if (!empty($user->uid) && !$form_state['programmed']) {
// Form constructors may explicitly set #token to FALSE when cross site
// request forgery is irrelevant to the form, such as search forms.
if (isset($form['#token']) && $form['#token'] === FALSE) {
unset($form['#token']);
}
// Otherwise, generate a public token based on the form id.
else {
$form['form_token'] = array('#type' => 'token', '#default_value' => drupal_get_token($form['#token']));
$form['#token'] = $form_id;
$form['form_token'] = array(
'#id' => drupal_html_id('edit-' . $form_id . '-form-token'),
'#type' => 'token',
'#default_value' => drupal_get_token($form['#token']),
);
}
}
elseif (isset($user->uid) && $user->uid && !$form_state['programmed']) {
$form['#token'] = $form_id;
$form['form_token'] = array(
'#id' => drupal_html_id('edit-' . $form_id . '-form-token'),
'#type' => 'token',
'#default_value' => drupal_get_token($form['#token']),
);
}
if (isset($form_id)) {
$form['form_id'] = array(
......
......@@ -1845,7 +1845,7 @@ function comment_form($form, &$form_state, $comment) {
$form['submit'] = array(
'#type' => 'submit',
'#value' => t('Save'),
'#access' => variable_get('comment_preview_' . $node->type, DRUPAL_OPTIONAL) != DRUPAL_REQUIRED || (!form_get_errors() && isset($form_state['comment_preview'])),
'#access' => ($comment->cid && user_access('administer comments')) || variable_get('comment_preview_' . $node->type, DRUPAL_OPTIONAL) != DRUPAL_REQUIRED || (!form_get_errors() && isset($form_state['comment_preview'])),
'#weight' => 19,
);
$form['preview'] = array(
......
......@@ -61,7 +61,6 @@ function contact_site_form($form, &$form_state) {
$form['#attributes']['class'][] = 'user-info-from-cookie';
}
$form['#token'] = $user->uid ? $user->name . $user->mail : '';
$form['name'] = array(
'#type' => 'textfield',
'#title' => t('Your name'),
......@@ -171,7 +170,7 @@ function contact_site_form_submit($form, &$form_state) {
* @see contact_personal_form_validate()
* @see contact_personal_form_submit()
*/
function contact_personal_form($form, &$form_state, stdClass $recipient) {
function contact_personal_form($form, &$form_state, $recipient) {
global $user;
// Check if flood control has been activated for sending e-mails.
......@@ -190,7 +189,6 @@ function contact_personal_form($form, &$form_state, stdClass $recipient) {
$form['#attributes']['class'][] = 'user-info-from-cookie';
}
$form['#token'] = $user->uid ? $user->name . $user->mail : '';
$form['recipient'] = array(
'#type' => 'value',
'#value' => $recipient,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment