Commit 9b507ac4 authored by drothstein's avatar drothstein Committed by jmuzz
Browse files

Issue #2242751 by David_Rothstein: Implemented #2242663 for SA-CORE-2014-002...

Issue #2242751 by David_Rothstein: Implemented #2242663 for SA-CORE-2014-002 (Ajax form page callback security fix for anonymous users).
parent 76a8f053
......@@ -1509,7 +1509,7 @@ function field_collection_remove_js() {
unset($_POST['ajax_html_ids']);
}
list($form, $form_state) = ajax_get_form();
list($form, $form_state, $form_id, $form_build_id, $commands) = ajax_get_form();
drupal_process_form($form['#form_id'], $form, $form_state);
// Get the information on what we're removing.
......@@ -1517,11 +1517,10 @@ function field_collection_remove_js() {
// Go two levels up in the form, to the whole widget.
$element = drupal_array_get_nested_value($form, array_slice($button['#array_parents'], 0, -3));
// Now send back the proper AJAX command to replace it.
$commands[] = ajax_command_replace('#' . $element['#id'], drupal_render($element));
$return = array(
'#type' => 'ajax',
'#commands' => array(
ajax_command_replace('#' . $element['#id'], drupal_render($element))
),
'#commands' => $commands,
);
// Because we're doing this ourselves, messages aren't automatic. We have
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment