diff options
Diffstat (limited to 'extensions/Voting')
-rw-r--r-- | extensions/Voting/Extension.pm | 4 | ||||
-rw-r--r-- | extensions/Voting/template/en/default/pages/voting/user.html.tmpl | 1 | ||||
-rw-r--r-- | extensions/Voting/template/en/default/voting/delete-all.html.tmpl | 1 |
3 files changed, 6 insertions, 0 deletions
diff --git a/extensions/Voting/Extension.pm b/extensions/Voting/Extension.pm index d94ff8430..8417e0ec3 100644 --- a/extensions/Voting/Extension.pm +++ b/extensions/Voting/Extension.pm @@ -36,6 +36,7 @@ use Bugzilla::Field; use Bugzilla::Mailer; use Bugzilla::User; use Bugzilla::Util qw(detaint_natural); +use Bugzilla::Token; use List::Util qw(min); @@ -529,6 +530,9 @@ sub _update_votes { || ThrowUserError("voting_must_be_nonnegative"); } + my $token = $cgi->param('token'); + check_hash_token($token, ['vote']); + ############################################################################ # End Data/Security Validation ############################################################################ diff --git a/extensions/Voting/template/en/default/pages/voting/user.html.tmpl b/extensions/Voting/template/en/default/pages/voting/user.html.tmpl index f2ac160f8..dbceaf217 100644 --- a/extensions/Voting/template/en/default/pages/voting/user.html.tmpl +++ b/extensions/Voting/template/en/default/pages/voting/user.html.tmpl @@ -74,6 +74,7 @@ [% IF products.size %] <form name="voting_form" method="post" action="page.cgi?id=voting/user.html"> <input type="hidden" name="action" value="vote"> + <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]"> <table cellspacing="4"> <tr> <td></td> diff --git a/extensions/Voting/template/en/default/voting/delete-all.html.tmpl b/extensions/Voting/template/en/default/voting/delete-all.html.tmpl index 82ddc3596..f0d3b7e13 100644 --- a/extensions/Voting/template/en/default/voting/delete-all.html.tmpl +++ b/extensions/Voting/template/en/default/voting/delete-all.html.tmpl @@ -35,6 +35,7 @@ <form action="page.cgi?id=voting/user.html" method="post"> <input type="hidden" name="action" value="vote"> + <input type="hidden" name="token" value="[% issue_hash_token(['vote']) FILTER html %]"> <p> <input type="radio" name="delete_all_votes" value="1"> Yes, delete all my votes |