From 4e56c44317afd77e91e2d40a5ce1ce09155bfc41 Mon Sep 17 00:00:00 2001
From: Demian Katz <demian.katz@villanova.edu>
Date: Tue, 2 Sep 2014 10:35:30 -0400
Subject: [PATCH] Include route params in HMAC validation.

---
 .../src/VuFind/Controller/Plugin/AbstractRequestBase.php     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/module/VuFind/src/VuFind/Controller/Plugin/AbstractRequestBase.php b/module/VuFind/src/VuFind/Controller/Plugin/AbstractRequestBase.php
index 4d3b2896269..eba75a7bed3 100644
--- a/module/VuFind/src/VuFind/Controller/Plugin/AbstractRequestBase.php
+++ b/module/VuFind/src/VuFind/Controller/Plugin/AbstractRequestBase.php
@@ -120,7 +120,10 @@ abstract class AbstractRequestBase extends AbstractPlugin
 
         $keyValueArray = array();
         foreach ($linkData as $details) {
-            $keyValueArray[$details] = $params->fromQuery($details);
+            // We expect most parameters to come via query, but some (mainly ID) may
+            // be in the route:
+            $keyValueArray[$details]
+                = $params->fromQuery($details, $params->fromRoute($details));
         }
         $hashKey = $this->hmac->generate($linkData, $keyValueArray);
 
-- 
GitLab