3.1

Author: Pathologic

assets/modules/docmanager/templates/changeauthors.tpl

@@ -4,6 +4,7 @@
 <p>[+lang.DM_adjust_authors_desc+]</p>
 
 <form name="authors" method="post" action="">
+    [+csrf+]
     <label for="author_createdby">[+lang.DM_adjust_authors_createdby+]</label>
     <select name="author_createdby" size="1">
         <option value="0">[+lang.DM_adjust_authors_noselection+]</option>
@@ -15,4 +16,4 @@
         <option value="0">[+lang.DM_adjust_authors_noselection+]</option>
         [+changeauthors.options+]
     </select>
-</form>
+</form>

assets/modules/docmanager/templates/documentgroups.tpl

@@ -1,8 +1,9 @@
 <p>[+lang.DM_doc_desc+]</p><br />
 <form name="docgroups" action="">
+    [+csrf+]
     [+documentgroups.grid+]
     <br /><br />
     <input type="radio" name="tabAction" value="pushDocGroup" checked />&nbsp;[+lang.DM_doc_radio_add+]&nbsp;&nbsp;
     <input type="radio" name="tabAction" value="pullDocGroup" />&nbsp;[+lang.DM_doc_radio_remove+]
     <br /><br />
-</form>
+</form>

assets/modules/docmanager/templates/documents.tpl

@@ -4,6 +4,7 @@
             <div class="tab-header">[+lang.DM_range_title+]</div>
             <div class="tab-body">
                 <form name="range" id="range" action="" method="post">
+                    [+csrf+]
                     <input type="hidden" id="newvalue" name="newvalue" value="" />
                     <input type="hidden" id="setoption" name="setoption" value="" />
                     <input type="hidden" id="pubdate" name="pubdate" value="" />
@@ -26,4 +27,4 @@
             </div>
         </div>
     </div>
-</div>
+</div>

assets/modules/docmanager/templates/main.tpl

@@ -8,6 +8,7 @@
     <script type="text/javascript" src="media/script/mootools/mootools.js"></script>
     <script type="text/javascript" src="../assets/modules/docmanager/js/docmanager.js"></script>
     <script type="text/javascript">
+        const token = '[+token+]';
       function loadTemplateVars(tplId)
       {
         document.getElementById('tvloading').style.display = 'block';
@@ -36,7 +37,7 @@
             }
           }
         };
-        xhr.send('theme=[+theme+]&tplID=' + tplId);
+        xhr.send('_token=' + token + '&theme=[+theme+]&tplID=' + tplId);
       }
 
       function save()
@@ -131,4 +132,4 @@
 [+view.documents+]
 [+view.tab+]
 </body>
-</html>
+</html>

assets/modules/docmanager/templates/misc.tpl

@@ -2,6 +2,7 @@
 <h4><i class="fa fa-calendar"></i> [+lang.DM_adjust_dates_header+]</h4>
 <p>[+lang.DM_adjust_dates_desc+]</p>
 <form id="dates" name="dates" method="post" action="">
+    [+csrf+]
     <table>
         <tr>
             <td><label for="date_pubdate" id="date_pubdate_label">[+lang.DM_date_pubdate+]</label></td>
@@ -64,4 +65,4 @@
     <br /><br />
     <input type="radio" name="choice" value="1" />&nbsp;<label for="choice" id="choice_label_1">[+lang.DM_other_publish_radio1+]</label>
     <input type="radio" name="choice" value="0" />&nbsp;<label for="choice" id="choice_label_2">[+lang.DM_other_publish_radio2+]</label>
-</form>
+</form>

assets/modules/docmanager/templates/templates.tpl

@@ -1,6 +1,7 @@
 <p>[+lang.DM_tpl_desc+]</p>
 <br />
 <form name="template" action="">
+    [+csrf+]
     [+templates.grid+]
     <br />
     <table class="grid">
@@ -13,4 +14,4 @@
         </tr>
         </tbody>
     </table>
-</form>
+</form>

assets/modules/docmanager/templates/templatevars.tpl

@@ -1,6 +1,7 @@
 <p>[+lang.DM_tv_desc+]</p>
 <br />
 <form name="templatevariables" action="" method="post">
+    [+csrf+]
     [+templatevars.grid+]
     <div id="tvloading" class="warning" style="display:none">[+lang.DM_tv_loading+]</div>
     <br />
@@ -10,4 +11,4 @@
     <input type="hidden" id="pids_tv" name="pids" value="" />
     <input type="hidden" id="template_id" name="template_id" value="" />
     <input type="hidden" id="tabaction_tv" name="tabAction" value="changeTV" />
-</form>
+</form>

assets/modules/docmanager/templates/update.tpl

@@ -40,10 +40,11 @@
         <b>[+lang.DM_update_title+]</b>
         <p>[+update.message+]</p>
         <form id="backform" method="post" style="display: none;" action="">
+            [+csrf+]
             <input type="submit" name="back" value="[+lang.DM_process_back+]" />
         </form>
     </div>
 </div>
 
 </body>
-</html>
+</html>

install/assets/modules/docmanager.tpl

@@ -5,7 +5,7 @@
  * Quickly perform bulk updates to the Documents in your site including templates, publishing details, and permissions
  * 
  * @category	module
- * @version 	3.0
+ * @version 	3.1
  * @license 	http://www.gnu.org/copyleft/gpl.html GNU Public License (GPL)
  * @internal	@properties
  * @internal	@guid docman435243542tf542t5t	
@@ -26,6 +26,8 @@ $dmb = new DocManagerBackend($dm, $modx);
 
 $dm->ph = $dm->getLang();
 $dm->ph['theme'] = $dm->getTheme();
+$dm->ph['token'] = csrf_token();
+$dm->ph['csrf'] = (string)csrf_field();
 $dm->ph['ajax.endpoint'] = MODX_SITE_URL.'assets/modules/docmanager/tv.ajax.php';
 $dm->ph['datepicker.offset'] = $modx->config['datepicker_offset'];
 $dm->ph['datetime.format'] = $modx->config['datetime_format'];