Index: includes/form.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/form.inc,v retrieving revision 1.416 diff -u -p -r1.416 form.inc --- includes/form.inc 5 Dec 2009 16:03:51 -0000 1.416 +++ includes/form.inc 11 Dec 2009 00:54:10 -0000 @@ -688,22 +688,26 @@ function drupal_prepare_form($form_id, & // authenticated users. This ensures that any submitted form was actually // requested previously by the user and protects against cross site request // forgeries. - if (isset($form['#token'])) { - if ($form['#token'] === FALSE || $user->uid == 0 || $form_state['programmed']) { + // This does not apply to programmatically submitted forms. Furthermore, since + // tokens are session-bound and forms displayed to anonymous users are very + // likely cached, we cannot assign a token for them. + // During installation, there is no $user yet. + if (!empty($user->uid) && !$form_state['programmed']) { + // Form constructors may explicitly set #token to FALSE when cross site + // request forgery is irrelevant to the form, such as search forms. + if (isset($form['#token']) && $form['#token'] === FALSE) { unset($form['#token']); } + // Otherwise, generate a public token based on the assigned token. else { - $form['form_token'] = array('#type' => 'token', '#default_value' => drupal_get_token($form['#token'])); + $form['#token'] = $form_id; + $form['form_token'] = array( + '#id' => drupal_html_id('edit-' . $form_id . '-form-token'), + '#type' => 'token', + '#default_value' => drupal_get_token($form['#token']), + ); } } - elseif (isset($user->uid) && $user->uid && !$form_state['programmed']) { - $form['#token'] = $form_id; - $form['form_token'] = array( - '#id' => drupal_html_id('edit-' . $form_id . '-form-token'), - '#type' => 'token', - '#default_value' => drupal_get_token($form['#token']), - ); - } if (isset($form_id)) { $form['form_id'] = array( Index: modules/comment/comment.module =================================================================== RCS file: /cvs/drupal/drupal/modules/comment/comment.module,v retrieving revision 1.814 diff -u -p -r1.814 comment.module --- modules/comment/comment.module 4 Dec 2009 16:49:46 -0000 1.814 +++ modules/comment/comment.module 11 Dec 2009 00:10:29 -0000 @@ -1829,7 +1829,7 @@ function comment_form($form, &$form_stat $form['submit'] = array( '#type' => 'submit', '#value' => t('Save'), - '#access' => variable_get('comment_preview_' . $node->type, DRUPAL_OPTIONAL) != DRUPAL_REQUIRED || (!form_get_errors() && isset($form_state['comment_preview'])), + '#access' => ($comment->cid && user_access('administer comments')) || variable_get('comment_preview_' . $node->type, DRUPAL_OPTIONAL) != DRUPAL_REQUIRED || (!form_get_errors() && isset($form_state['comment_preview'])), '#weight' => 19, ); $form['preview'] = array( Index: modules/contact/contact.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/contact/contact.pages.inc,v retrieving revision 1.37 diff -u -p -r1.37 contact.pages.inc --- modules/contact/contact.pages.inc 6 Dec 2009 23:56:47 -0000 1.37 +++ modules/contact/contact.pages.inc 11 Dec 2009 00:10:47 -0000 @@ -61,7 +61,6 @@ function contact_site_form($form, &$form $form['#attributes']['class'][] = 'user-info-from-cookie'; } - $form['#token'] = $user->uid ? $user->name . $user->mail : ''; $form['name'] = array( '#type' => 'textfield', '#title' => t('Your name'), @@ -171,7 +170,7 @@ function contact_site_form_submit($form, * @see contact_personal_form_validate() * @see contact_personal_form_submit() */ -function contact_personal_form($form, &$form_state, stdClass $recipient) { +function contact_personal_form($form, &$form_state, $recipient) { global $user; // Check if flood control has been activated for sending e-mails. @@ -190,7 +189,6 @@ function contact_personal_form($form, &$ $form['#attributes']['class'][] = 'user-info-from-cookie'; } - $form['#token'] = $user->uid ? $user->name . $user->mail : ''; $form['recipient'] = array( '#type' => 'value', '#value' => $recipient,