From d26c6b402b4f3863cb3049b43ba013986c98ac16 Mon Sep 17 00:00:00 2001
From: Colin Kuskie <colink@perldreamer.com>
Date: Mon, 20 Jul 2009 15:38:07 +0000
Subject: [PATCH] Add CSRF code to ProfileSettings edit profile field and edit
 profile category.

---
 lib/WebGUI/Operation/ProfileSettings.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/WebGUI/Operation/ProfileSettings.pm b/lib/WebGUI/Operation/ProfileSettings.pm
index 48c83f0df..7bb8c30bc 100644
--- a/lib/WebGUI/Operation/ProfileSettings.pm
+++ b/lib/WebGUI/Operation/ProfileSettings.pm
@@ -201,8 +201,8 @@ Returns the user to www_editProfileSettings when done.
 
 #-------------------------------------------------------------------
 sub www_editProfileCategorySave {
-	my $session = shift;
-        return $session->privilege->adminOnly() unless canView($session);
+    my $session = shift;
+    return $session->privilege->adminOnly() unless canView($session) && $session->form->validToken();
 	my %data = (
 		label      => $session->form->text("label"),
         shortLabel => $session->form->text("shortLabel"),
@@ -359,8 +359,8 @@ Returns the user to www_editProfileSettings when done.
 
 #-------------------------------------------------------------------
 sub www_editProfileFieldSave {
-	my $session = shift;
-        return $session->privilege->adminOnly() unless canView($session);
+    my $session = shift;
+    return $session->privilege->adminOnly() unless canView($session) && $session->form->validToken();
 
 	# Special case for WebGUI auth password recovery.
 	my $requiredForPasswordRecovery = $session->form->yesNo('requiredForPasswordRecovery');