From fe99c1cbec5e2403e731aa2f82bae0c2722535db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=B0=98=E7=BC=98?= <admin@4wei.cn>
Date: Wed, 19 Oct 2016 11:05:26 +0800
Subject: [PATCH] #367 fixed a csrf bug since 2014

---
 src/psm/Module/Server/Controller/StatusController.php     | 1 +
 src/templates/default/module/server/status/index.tpl.html | 1 +
 static/js/scripts.js                                      | 1 +
 3 files changed, 3 insertions(+)

diff --git a/src/psm/Module/Server/Controller/StatusController.php b/src/psm/Module/Server/Controller/StatusController.php
index 5afde541..600e9be1 100644
--- a/src/psm/Module/Server/Controller/StatusController.php
+++ b/src/psm/Module/Server/Controller/StatusController.php
@@ -37,6 +37,7 @@ class StatusController extends AbstractServerController {
 	function __construct(Database $db, \Twig_Environment $twig) {
 		parent::__construct($db, $twig);
 
+		$this->setCSRFKey('status');
 		$this->setActions(array('index', 'saveLayout'), 'index');
 	}
 
diff --git a/src/templates/default/module/server/status/index.tpl.html b/src/templates/default/module/server/status/index.tpl.html
index 77fe4c89..c66cde78 100644
--- a/src/templates/default/module/server/status/index.tpl.html
+++ b/src/templates/default/module/server/status/index.tpl.html
@@ -1,4 +1,5 @@
 <div class="tab-content">
+	<input type="hidden" name="saveLayout_csrf" value="{{ csrf_token(csrf_key|default('')) }}" />
 	<div id="flow-layout" class="tab-pane {{ block_layout_active }}">
 		<div class="entity-container">
 			{% for server in servers_offline %}
diff --git a/static/js/scripts.js b/static/js/scripts.js
index fb29cb63..46669303 100755
--- a/static/js/scripts.js
+++ b/static/js/scripts.js
@@ -135,6 +135,7 @@ function psm_xhr(mod, params, method, on_complete, options) {
 function psm_saveLayout(layout) {
 	var params = {
 		action: 'saveLayout',
+		csrf: $("input[name=saveLayout_csrf]").val(),
 		layout: layout
 	};
 	psm_xhr('server_status', params, 'POST');