summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--plugins/context_reaction_block.inc5
-rw-r--r--plugins/context_reaction_block.js5
-rw-r--r--theme/context_reaction_block.theme.inc5
3 files changed, 15 insertions, 0 deletions
diff --git a/plugins/context_reaction_block.inc b/plugins/context_reaction_block.inc
index afc4f08..c14aa98 100644
--- a/plugins/context_reaction_block.inc
+++ b/plugins/context_reaction_block.inc
@@ -640,6 +640,11 @@ class context_reaction_block extends context_reaction {
if (strpos($param, ',') !== FALSE) {
list($bid, $context) = explode(',', $param);
list($module, $delta) = explode('-', $bid, 2);
+ // Check token to make sure user has access to block.
+ if (empty($_GET['context_token']) || $_GET['context_token'] != drupal_get_token($bid)) {
+ echo drupal_json_encode(array('status' => 0));
+ exit;
+ }
// Ensure $bid is valid.
$info = $this->get_blocks();
diff --git a/plugins/context_reaction_block.js b/plugins/context_reaction_block.js
index 05f1147..b51e2f3 100644
--- a/plugins/context_reaction_block.js
+++ b/plugins/context_reaction_block.js
@@ -327,6 +327,11 @@ DrupalContextBlockEditor.prototype = {
// Construct query params for our AJAX block request.
var params = Drupal.settings.contextBlockEditor.params;
params.context_block = bid + ',' + context;
+ if (!Drupal.settings.contextBlockEditor.block_tokens || !Drupal.settings.contextBlockEditor.block_tokens[bid]) {
+ alert(Drupal.t('An error occurred trying to retrieve block content. Please contact a site administer.'));
+ return;
+ }
+ params.context_token = Drupal.settings.contextBlockEditor.block_tokens[bid];
// Replace item with loading block.
//ui.sender.append(ui.item);
diff --git a/theme/context_reaction_block.theme.inc b/theme/context_reaction_block.theme.inc
index b794342..c103bab 100644
--- a/theme/context_reaction_block.theme.inc
+++ b/theme/context_reaction_block.theme.inc
@@ -120,6 +120,11 @@ function template_preprocess_context_block_browser(&$vars) {
* Preprocessor for theme('context_block_browser_item').
*/
function template_preprocess_context_block_browser_item(&$vars) {
+ static $added = array();
$vars['bid'] = $vars['block']->bid;
$vars['info'] = check_plain($vars['block']->info);
+ if (empty($added[$vars['bid']])) {
+ drupal_add_js(array('contextBlockEditor' => array('block_tokens' => array($vars['bid'] => drupal_get_token($vars['bid'])))), 'setting');
+ $added[$vars['bid']] = TRUE;
+ }
}