From 5a8bbbe98c5b550dc6ebb3bd86fab2211b44df8e Mon Sep 17 00:00:00 2001
From: =?utf8?q?Paul=20H=C3=A4nsch?= <paul@plutz.net>
Date: Wed, 11 May 2022 17:24:48 +0200
Subject: [PATCH] acl and session validation for attachment ops

---
 themes/default.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/themes/default.sh b/themes/default.sh
index 7edd4b9..9826a79 100755
--- a/themes/default.sh
+++ b/themes/default.sh
@@ -114,11 +114,13 @@ theme_attachments(){
 	  $(theme_header)
 	  <main>
 	    <form class=upload method=POST enctype="multipart/form-data">
+	      <input type=hidden name=session_id value="$SESSION_ID">
 	      <input type=file name=file multiple>
 	      <button type=submit name=action value=upload>Upload</button>
 	    </form>
 
             <form method=POST><ul class="attachment list">
+	      <input type=hidden name=session_key value="$SESSION_KEY">
 	    $(for file in "$_EXEC/pages/$page/#attachments"/* "$_DATA/pages/$page/#attachments"/*; do
 	      [ "$file" = "$_EXEC/pages/$page/#attachments/${file##*/}" \
 	            -a -f "$_DATA/pages/$page/#attachments/${file##*/}" ] && continue
-- 
2.39.2