From b96bb692cc53e7c7275dbbb4495044492b430b08 Mon Sep 17 00:00:00 2001
From: Ere Maijala <ere.maijala@helsinki.fi>
Date: Fri, 27 May 2016 10:51:58 -0400
Subject: [PATCH] Add missing CSRF token. - Resolves VUFIND-1179

---
 themes/bootstrap3/templates/myresearch/newpassword.phtml   | 1 +
 themes/jquerymobile/templates/myresearch/newpassword.phtml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/themes/bootstrap3/templates/myresearch/newpassword.phtml b/themes/bootstrap3/templates/myresearch/newpassword.phtml
index d504382bf7d..8391573200f 100644
--- a/themes/bootstrap3/templates/myresearch/newpassword.phtml
+++ b/themes/bootstrap3/templates/myresearch/newpassword.phtml
@@ -20,6 +20,7 @@
   <div class="error"><?=$this->transEsc('recovery_user_not_found') ?></div>
 <? else: ?>
   <form id="newpassword" class="form-horizontal" action="<?=$this->url('myresearch-newpassword') ?>" method="post" data-toggle="validator" role="form">
+    <input type="hidden" value="<?=$this->escapeHtmlAttr($this->auth()->getManager()->getCsrfHash(true))?>" name="csrf"/>
     <input type="hidden" value="<?=$this->escapeHtmlAttr($this->hash) ?>" name="hash"/>
     <input type="hidden" value="<?=$this->escapeHtmlAttr($this->username) ?>" name="username"/>
     <input type="hidden" value="<?=$this->escapeHtmlAttr($this->auth_method) ?>" name="auth_method"/>
diff --git a/themes/jquerymobile/templates/myresearch/newpassword.phtml b/themes/jquerymobile/templates/myresearch/newpassword.phtml
index 0f0694a8fea..ee3335dcddd 100644
--- a/themes/jquerymobile/templates/myresearch/newpassword.phtml
+++ b/themes/jquerymobile/templates/myresearch/newpassword.phtml
@@ -20,6 +20,7 @@
     <? else: ?>
       <form data-ajax="false" action="<?=$this->url('myresearch-newpassword') ?>" method="post">
         <?=$this->auth()->getNewPasswordForm() ?>
+        <input type="hidden" value="<?=$this->escapeHtmlAttr($this->auth()->getManager()->getCsrfHash(true))?>" name="csrf"/>
         <input type="hidden" value="<?=$this->escapeHtmlAttr($this->hash) ?>" name="hash"/>
         <input type="hidden" value="<?=$this->escapeHtmlAttr($this->username) ?>" name="username"/>
         <input type="hidden" value="<?=$this->escapeHtmlAttr($this->auth_method) ?>" name="auth_method"/>
-- 
GitLab