Commit 4452bf1f authored by Fox's avatar Fox

Addition of block token to ensure json block rendering is only available to...

Addition of block token to ensure json block rendering is only available to those who can place blocks and make sure access denied check works
parent f258d579
......@@ -561,7 +561,7 @@ class context_reaction_block extends context_reaction {
}
foreach ($headers as $header) {
if ($header == "HTTP/1.1 404 Not Found" || $header == "HTTP/1.1 403 Forbidden") {
if (strpos($header, "404 Not Found") !== FALSE || strpos($header, "403 Forbidden") !== FALSE) {
return;
}
}
......@@ -572,6 +572,11 @@ class context_reaction_block extends context_reaction {
if (strpos($param, ',') !== FALSE) {
list($bid, $context) = explode(',', $param);
list($module, $delta) = explode('-', $bid, 2);
// Check token to make sure user has access to block.
if (empty($_GET['context_token']) || $_GET['context_token'] != drupal_get_token($bid)) {
echo drupal_to_js(array('status' => 0));
exit;
}
// Ensure $bid is valid.
$info = $this->get_blocks();
......
......@@ -242,6 +242,11 @@ DrupalContextBlockEditor.prototype.addBlock = function(event, ui, editor, contex
// Construct query params for our AJAX block request.
var params = Drupal.settings.contextBlockEditor.params;
params.context_block = bid + ',' + context;
if (!Drupal.settings.contextBlockEditor.block_tokens || !Drupal.settings.contextBlockEditor.block_tokens[bid]) {
alert(Drupal.t('An error occurred trying to retrieve block content. Please contact a site administer.'));
return;
}
params.context_token = Drupal.settings.contextBlockEditor.block_tokens[bid];
// Replace item with loading block.
var blockLoading = $('<div class="context-block-item context-block-loading"><span class="icon"></span></div>');
......
......@@ -91,8 +91,13 @@ function template_preprocess_context_block_browser(&$vars) {
* Preprocessor for theme('context_block_browser_item').
*/
function template_preprocess_context_block_browser_item(&$vars) {
static $added = array();
$vars['bid'] = $vars['block']->bid;
$vars['info'] = check_plain($vars['block']->info);
if (empty($added[$vars['bid']])) {
drupal_add_js(array('contextBlockEditor' => array('block_tokens' => array($vars['bid'] => drupal_get_token($vars['bid'])))), 'setting');
$added[$vars['bid']] = TRUE;
}
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment