' . t('Some forms are repeated over and over across a site, each one with a slightly different form-id. A good example is the commerce add-to-cart form. Instead of deriving the CSRF token from the unique form-id, the base-form id can be used, such that only one token needs to be generated for all forms having a common base form.') . '
'; + if (!empty($modules_with_base_forms)) { + $form['base_id_token']['hint']['#markup'] .= '' . t('The following modules implement base forms and therefore might be affected by this feature:') . ' ' . implode(', ', $modules_with_base_forms) . '
'; + } + + $form['base_id_token']['authcache_form_base_id_token'] = array( + '#type' => 'textarea', + '#title' => t('Base forms'), + '#description' => t('Supply a list of base form-ids where CSRF tokens should be derived from. Defaults to "*", i.e. applied to all base forms.'), + '#default_value' => variable_get('authcache_form_base_id_token', '*'), + ); + // Ajax forms. $cacheobject_disabled = !module_exists('cacheobject'); diff --git a/modules/authcache_form/authcache_form.install b/modules/authcache_form/authcache_form.install index 06337fb..e2cd064 100644 --- a/modules/authcache_form/authcache_form.install +++ b/modules/authcache_form/authcache_form.install @@ -37,6 +37,7 @@ function authcache_form_requirements($phase) { * Implements hook_uninstall(). */ function authcache_form_uninstall() { + variable_del('authcache_form_base_id_token'); variable_del('authcache_form_cache_lifespan'); variable_del('authcache_form_cache_lifespan_custom'); variable_del('authcache_form_notoken'); diff --git a/modules/authcache_form/authcache_form.module b/modules/authcache_form/authcache_form.module index 6468b1a..e5f1401 100644 --- a/modules/authcache_form/authcache_form.module +++ b/modules/authcache_form/authcache_form.module @@ -111,12 +111,15 @@ function authcache_form_form_alter(&$form, &$form_state, $form_id) { // product listing. Note we need to do that on both cacheable as well as // uncacheable versions of the page. Otherwise form-processing will not work // as soon as the form is submitted. - if (_authcache_form_allow_base_id_token($form_id) && isset($form['#token']) && isset($form_state['build_info']['base_form_id'])) { - $form['#token'] = $form_state['build_info']['base_form_id']; - if (!empty($form['form_token']['#default_value'])) { - // Just in case caching is canceled later on, ensure that the hidden - // token field has the correct token. - $form['form_token']['#default_value'] = drupal_get_token($form['#token']); + if (isset($form['#token']) && isset($form_state['build_info']['base_form_id'])) { + $base_form_id = $form_state['build_info']['base_form_id']; + if (_authcache_form_allow_base_id_token($base_form_id)) { + $form['#token'] = $base_form_id; + if (!empty($form['form_token']['#default_value'])) { + // Just in case caching is canceled later on, ensure that the hidden + // token field has the correct token. + $form['form_token']['#default_value'] = drupal_get_token($form['#token']); + } } } } @@ -189,7 +192,7 @@ function _authcache_form_allow_notoken($form_id, $account = NULL) { /** * Test whether CSRF token based on base form id is allowed. * - * @param string $form_id + * @param string $base_form_id * The form id to test. * @param object $account * The account to test. @@ -197,8 +200,8 @@ function _authcache_form_allow_notoken($form_id, $account = NULL) { * @return bool * TRUE if config allows tokens based on base form id, FALSE otherwise. */ -function _authcache_form_allow_base_id_token($form_id, $account = NULL) { - return authcache_role_restrict_members_access(variable_get('authcache_form_base_form_token_roles', authcache_get_roles()), $account) && _authcache_form_match_form_id($form_id, variable_get('authcache_form_base_form_token', '*')); +function _authcache_form_allow_base_id_token($base_form_id, $account = NULL) { + return authcache_account_allows_caching($account) && _authcache_form_match_form_id($base_form_id, variable_get('authcache_form_base_id_token', '*')); } /**