summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--autosave.info6
-rw-r--r--autosave.js6
-rw-r--r--autosave.module42
3 files changed, 41 insertions, 13 deletions
diff --git a/autosave.info b/autosave.info
index 5a4a692..721529e 100644
--- a/autosave.info
+++ b/autosave.info
@@ -5,9 +5,5 @@ package = Other
project = autosave
core = 6.x
-; Information added by drupal.org packaging script on 2009-11-02
-version = "6.x-2.2"
-core = "6.x"
-project = "autosave"
-datestamp = "1257182411"
+
diff --git a/autosave.js b/autosave.js
index 4e7c2bb..15d7217 100644
--- a/autosave.js
+++ b/autosave.js
@@ -40,7 +40,7 @@ if (Drupal.jsEnabled) {
//CKEditor support
if (typeof(CKEDITOR) != 'undefined' ) {
for (var instance in CKEDITOR.instances) {
- CKEDITOR.instances[instance].setData('');
+ CKEDITOR.instances[instance].setData($('#' + instance).val());
}
}
@@ -57,7 +57,7 @@ if (Drupal.jsEnabled) {
//CKEditor support
if (typeof(CKEDITOR) != 'undefined' ) {
for (var instance in CKEDITOR.instances) {
- CKEDITOR.instances[instance].setData('');
+ CKEDITOR.instances[instance].setData($('#' + instance).val());
}
}
@@ -103,7 +103,7 @@ Drupal.saveForm = function() {
var serialized = $('#node-form').formHash();
serialized['q'] = Drupal.settings.autosave.q;
$.ajax({
- url: Drupal.settings.basePath + "autosave/handler",
+ url: Drupal.settings.autosave.url,
type: "POST",
dataType: "xml/html/script/json",
data: serialized,
diff --git a/autosave.module b/autosave.module
index e3ad58e..5419eb3 100644
--- a/autosave.module
+++ b/autosave.module
@@ -1,4 +1,5 @@
<?php
+// $Id: autosave.module,v 1.9 2009/11/06 00:41:16 ptalindstrom Exp $
/**
* @file
@@ -24,10 +25,10 @@ function autosave_help($path, $arg) {
* Implementation of hook_menu().
*/
function autosave_menu() {
- $items['autosave/handler'] = array(
+ $items['autosave/handler/%'] = array(
'title' => 'Autosave save',
'page callback' => 'autosave_save',
- 'access callback' => TRUE,
+ 'access callback' => 'autosave_save_access',
'type' => MENU_CALLBACK,
);
@@ -42,6 +43,31 @@ function autosave_menu() {
}
/**
+ * Access callback for the form save menu callback.
+ *
+ *
+ * For security reasons, we need to confirm that the user would have access
+ * to the page where the form lives in the first place. If they don't, they
+ * should not be able to access its saved version. We also check that the
+ * form's token is correct to avoid CSRF attacks.
+ *
+ * Because the form data is not available to us, the only way we can access
+ * the path is by checking $_POST directly. Sux.
+ *
+ * @return boolean
+ * True if this user should have access to save this form, false otherwise.
+*/
+function autosave_save_access() {
+ $path = trim($_POST['q'], '/');
+ $menu_item = menu_get_item($path);
+
+ $token = isset($_POST['form_token'], $_POST['form_id']) && drupal_valid_token($_POST['form_token'], $_POST['form_id']);
+ $menu = isset($menu_item['access']) ? $menu_item['access'] : FALSE;
+ return $token && $menu;
+}
+
+
+/**
* Menu callback; return the autosave module settings form.
*/
function autosave_admin_settings() {
@@ -99,7 +125,10 @@ function autosave_form_alter(&$form, &$form_state, $form_id) {
if (module_exists('wysiwyg')) $settings['autosave']['wysiwyg'] = 1;
else $settings['autosave']['wysiwyg'] = 0;
- $settings['autosave']['url'] = url('autosave/handler');
+ // add security token
+ $token = drupal_get_token($form_id);
+
+ $settings['autosave']['url'] = url('autosave/handler/' . $token);
$settings['autosave']['period'] = variable_get('autosave_period', 10);
$settings['autosave']['q'] = $path;
$settings['autosave']['hidden'] = variable_get('autosave_hidden', 0);
@@ -126,6 +155,7 @@ function autosave_save() {
$path = $_POST['q'];
$form_id = $_POST['form_id'];
+
// Not all variables need to be serialized.
// - for Drupal 6 version need to remove op and form_build_id
unset($_POST['q'], $_POST['op'], $_POST['form_build_id']);
@@ -136,12 +166,14 @@ function autosave_save() {
// - easy to figure out if we are submitting an edit to existing node
// - little harder if we have just added a node
$path_args = explode("/", $path);
+
// update case
if (is_numeric($path_args[1])) {
$submitted = node_load($path_args[1]);
- }
+ }
+
+ // add case
else {
- // add case
$submitted->changed = db_result(db_query("SELECT created FROM {node} WHERE uid = %d and type = '%s' ORDER BY created DESC LIMIT 1", $user->uid, str_replace("-", "_", $path_args[2])));
}