From f7b6e27ea2558ddfc97547178408841c5d51c5b6 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Wed, 25 May 2011 12:15:04 +0200
Subject: [PATCH] Remove the security token from the ajax draft/lock calls
 again

The security token here doesn't improve the security as the other
requests that allow you to do the same thing aren't protected and I
don't see why locking or draft creation should be subject of XSRF
attacks.
---
 lib/exe/ajax.php         | 2 --
 lib/scripts/edit.js      | 1 -
 lib/scripts/locktimer.js | 1 -
 3 files changed, 4 deletions(-)

diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php
index b2463ed3f..1056a05f8 100644
--- a/lib/exe/ajax.php
+++ b/lib/exe/ajax.php
@@ -128,7 +128,6 @@ function ajax_lock(){
 
     $ID = cleanID($_POST['id']);
     if(empty($ID)) return;
-    if (!checkSecurityToken()) return;
 
     $INFO = pageinfo();
 
@@ -169,7 +168,6 @@ function ajax_lock(){
 function ajax_draftdel(){
     $id = cleanID($_REQUEST['id']);
     if(empty($id)) return;
-    if (!checkSecurityToken()) return;
 
     $client = $_SERVER['REMOTE_USER'];
     if(!$client) $client = clientIP(true);
diff --git a/lib/scripts/edit.js b/lib/scripts/edit.js
index 31afcc126..a96a346dc 100644
--- a/lib/scripts/edit.js
+++ b/lib/scripts/edit.js
@@ -275,7 +275,6 @@ function deleteDraft() {
     if(dwform){
         var params = 'call=draftdel';
         params += '&id='+encodeURIComponent(dwform.elements.id.value);
-        params += '&sectok='+encodeURIComponent(dwform.elements.sectok.value);
 
         var sackobj = new sack(DOKU_BASE + 'lib/exe/ajax.php');
         // this needs to be synchronous and GET to not be aborted upon page unload
diff --git a/lib/scripts/locktimer.js b/lib/scripts/locktimer.js
index 5335e228f..0db7d2b15 100644
--- a/lib/scripts/locktimer.js
+++ b/lib/scripts/locktimer.js
@@ -73,7 +73,6 @@ var locktimer = {
         if(now.getTime() - locktimer.lasttime.getTime() > 30*1000){
             var params = 'call=lock&id='+encodeURIComponent(locktimer.pageid);
             var dwform = $('dw__editform');
-            params += '&sectok='+encodeURIComponent(dwform.elements.sectok.value);
             if(locktimer.draft && dwform.elements.wikitext){
                 params += '&prefix='+encodeURIComponent(dwform.elements.prefix.value);
                 params += '&wikitext='+encodeURIComponent(dwform.elements.wikitext.value);
-- 
GitLab