diff --git a/src/Controller/Bolt/EditRecordController.php b/src/Controller/Bolt/EditRecordController.php index aaf038b2..e2d8e14e 100644 --- a/src/Controller/Bolt/EditRecordController.php +++ b/src/Controller/Bolt/EditRecordController.php @@ -17,6 +17,10 @@ use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\Routing\Annotation\Route; use Symfony\Component\Routing\Generator\UrlGeneratorInterface; +use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException; +use Symfony\Component\Security\Csrf\CsrfToken; +use Symfony\Component\Security\Csrf\CsrfTokenManager; +use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; /** * Class EditRecordController. @@ -32,9 +36,13 @@ class EditRecordController extends AbstractController /** @var Version */ private $version; - public function __construct(Config $config) + /** @var CsrfTokenManagerInterface */ + private $csrfTokenManager; + + public function __construct(Config $config, CsrfTokenManagerInterface $csrfTokenManager) { $this->config = $config; + $this->csrfTokenManager = $csrfTokenManager; } /** @@ -57,6 +65,12 @@ class EditRecordController extends AbstractController */ public function edit_post(Content $content = null, Request $request, ObjectManager $manager, UrlGeneratorInterface $urlGenerator): Response { + $token = new CsrfToken('editrecord', $request->request->get('_csrf_token')); + + if (!$this->csrfTokenManager->isTokenValid($token)) { + throw new InvalidCsrfTokenException(); + } + $content = $this->contentFromPost($content, $request); $manager->persist($content); diff --git a/templates/editcontent/edit.twig b/templates/editcontent/edit.twig index 856e99fa..ee6bb13b 100644 --- a/templates/editcontent/edit.twig +++ b/templates/editcontent/edit.twig @@ -10,7 +10,7 @@
- + {% for field in record.fields %}