Differences From:

File src/report.c part of check-in [21326fb6f7] - Fix enforcement of access restrictions on reports. Do not allow reports to show the content of fields whose names begin with "private_" unless the "e" permission is enabled. by drh on 2008-07-19 15:12:34. [view]

To:

File src/report.c part of check-in [0be54823ba] - Add defenses against cross-site request forgery attacks. by drh on 2008-10-18 12:55:44. [view]

@@ -320,8 +320,9 @@
   z = P("s");
   zSQL = z ? trim_string(z) : 0;
   zClrKey = trim_string(PD("k",""));
   if( rn>0 && P("del2") ){
+    login_verify_csrf_secret();
     db_multi_exec("DELETE FROM reportfmt WHERE rn=%d", rn);
     cgi_redirect("reportlist");
     return;
   }else if( rn>0 && P("del1") ){
@@ -336,8 +337,9 @@
     @ the database.  This is an irreversible operation.  All records
     @ related to this report will be removed and cannot be recovered.</p>
     @
     @ <input type="hidden" name="rn" value="%d(rn)">
+    login_insert_csrf_secret();
     @ <input type="submit" name="del2" value="Delete The Report">
     @ <input type="submit" name="can" value="Cancel">
     @ </form>
     style_footer();
@@ -355,8 +357,9 @@
     }else{
       zErr = verify_sql_statement(zSQL);
     }
     if( zErr==0 ){
+      login_verify_csrf_secret();
       if( rn>0 ){
         db_multi_exec("UPDATE reportfmt SET title=%Q, sqlcode=%Q,"
                       " owner=%Q, cols=%Q WHERE rn=%d",
            zTitle, zSQL, zOwner, zClrKey, rn);
@@ -405,8 +408,9 @@
   @ <input type="text" name="t" value="%h(zTitle)" size="60"></p>
   @ <p>Enter a complete SQL query statement against the "TICKET" table:<br>
   @ <textarea name="s" rows="20" cols="80">%h(zSQL)</textarea>
   @ </p>
+  login_insert_csrf_secret();
   if( g.okAdmin ){
     @ <p>Report owner:
     @ <input type="text" name="w" size="20" value="%h(zOwner)">
     @ </p>