acl and session validation for attachment ops

author Paul Hänsch <paul@plutz.net>

Wed, 11 May 2022 15:24:48 +0000 (17:24 +0200)

committer Paul Hänsch <paul@plutz.net>

Wed, 11 May 2022 15:24:48 +0000 (17:24 +0200)
author Paul Hänsch <paul@plutz.net>
Wed, 11 May 2022 15:24:48 +0000 (17:24 +0200)
committer Paul Hänsch <paul@plutz.net>
Wed, 11 May 2022 15:24:48 +0000 (17:24 +0200)
diff --git a/themes/default.sh b/themes/default.sh

index 7edd4b9986c60ad8e989f07a2740c7dc327d7c48..9826a79eb0670f5407a501a92a9def23ca5fb66e 100755 (executable)
--- a/themes/default.sh
+++ b/themes/default.sh
@@ -114,11 +114,13 @@ theme_attachments(){
           $(theme_header)
           <main>
             <form class=upload method=POST enctype="multipart/form-data">
+             <input type=hidden name=session_id value="$SESSION_ID">
               <input type=file name=file multiple>
               <button type=submit name=action value=upload>Upload</button>
             </form>
  
              <form method=POST><ul class="attachment list">
+             <input type=hidden name=session_key value="$SESSION_KEY">
             $(for file in "$_EXEC/pages/$page/#attachments"/* "$_DATA/pages/$page/#attachments"/*; do
               [ "$file" = "$_EXEC/pages/$page/#attachments/${file##*/}" \
                     -a -f "$_DATA/pages/$page/#attachments/${file##*/}" ] && continue
author	Paul Hänsch <paul@plutz.net>
	Wed, 11 May 2022 15:24:48 +0000 (17:24 +0200)
committer	Paul Hänsch <paul@plutz.net>
	Wed, 11 May 2022 15:24:48 +0000 (17:24 +0200)