diff --git a/app/controllers/dmsf_files_copy_controller.rb b/app/controllers/dmsf_files_copy_controller.rb
index 3d33485d..3126e019 100644
--- a/app/controllers/dmsf_files_copy_controller.rb
+++ b/app/controllers/dmsf_files_copy_controller.rb
@@ -24,6 +24,8 @@ class DmsfFilesCopyController < ApplicationController
before_filter :find_file
before_filter :authorize
+ verify :method => :post, :only => [:create], :render => { :nothing => true, :status => :method_not_allowed }
+
def new
@target_project = DmsfFile.allowed_target_projects_on_copy.detect {|p| p.id.to_s == params[:target_project_id]} if params[:target_project_id]
@target_project ||= @project if User.current.allowed_to?(:file_manipulation, @project)
diff --git a/app/controllers/dmsf_state_controller.rb b/app/controllers/dmsf_state_controller.rb
index d1b4e027..ce9859b9 100644
--- a/app/controllers/dmsf_state_controller.rb
+++ b/app/controllers/dmsf_state_controller.rb
@@ -24,6 +24,8 @@ class DmsfStateController < ApplicationController
before_filter :find_project
before_filter :authorize
+ verify :method => :post, :only => [:user_pref_save], :render => { :nothing => true, :status => :method_not_allowed }
+
def user_pref_save
member = @project.members.find(:first, :conditions => {:user_id => User.current.id})
if member
diff --git a/app/controllers/dmsf_upload_controller.rb b/app/controllers/dmsf_upload_controller.rb
index b13c7c29..076ec91a 100644
--- a/app/controllers/dmsf_upload_controller.rb
+++ b/app/controllers/dmsf_upload_controller.rb
@@ -25,6 +25,9 @@ class DmsfUploadController < ApplicationController
before_filter :authorize
before_filter :find_folder, :except => [:upload_file]
+ verify :method => :post, :only => [:upload_files, :upload_file, :commit_files],
+ :render => { :nothing => true, :status => :method_not_allowed }
+
def upload_files
uploaded_files = params[:uploaded_files]
@uploads = []
diff --git a/app/views/dmsf_files/show.html.erb b/app/views/dmsf_files/show.html.erb
index 2964d142..19822217 100644
--- a/app/views/dmsf_files/show.html.erb
+++ b/app/views/dmsf_files/show.html.erb
@@ -5,28 +5,29 @@
<% unless @file.locked_for_user? && !User.current.allowed_to?(:force_file_unlock, @project)%>
<% if @file.locked? %>
<%= link_to_function(image_tag("unlock.png", :plugin => "redmine_dmsf"),
- {:action => "unlock", :id => @file, :current => request.url },
+ "manipulation_link('#{url_for(:action => 'unlock', :id => @file, :current => request.url)}')",
:title => l(:title_unlock_file)) %>
<% else %>
- <%= link_to(image_tag("lock.png", :plugin => "redmine_dmsf"),
- {:action => "lock", :id => @file, :current => request.url },
+ <%= link_to_function(image_tag("lock.png", :plugin => "redmine_dmsf"),
+ "manipulation_link('#{url_for(:action => 'lock', :id => @file, :current => request.url)}')",
:title => l(:title_lock_file)) %>
<% end %>
<% end %>
<% if User.current.allowed_to?(:file_manipulation, @project) && !@file.locked_for_user? %>
- <%= link_to(image_tag("delete.png", :plugin => "redmine_dmsf"),
- {:action => "delete", :id => @file}, :class => "delete-entry", :title => l(:title_delete)) %>
+ <%= link_to_function(image_tag("delete.png", :plugin => "redmine_dmsf"),
+ "confirmation_link('#{url_for(:action => 'delete', :id => @file)}', '#{l(:question_do_you_really_want_to_delete_this_entry)}')",
+ :title => l(:title_delete)) %>
<% end %>
<% if User.current.allowed_to?(:file_approval, @project) %>
<% if @file.notification %>
- <%= link_to(image_tag("notify.png", :plugin => "redmine_dmsf"),
- {:action => "notify_deactivate", :id => @file, :current => request.url },
+ <%= link_to_function(image_tag("notify.png", :plugin => "redmine_dmsf"),
+ "manipulation_link('#{url_for(:action => 'notify_deactivate', :id => @file, :current => request.url)}')",
:title => l(:title_notifications_active_deactivate)) %>
<% else %>
- <%= link_to(image_tag("notifynot.png", :plugin => "redmine_dmsf"),
- {:action => "notify_activate", :id => @file, :current => request.url},
+ <%= link_to_function(image_tag("notifynot.png", :plugin => "redmine_dmsf"),
+ "manipulation_link('#{url_for(:action => 'notify_activate', :id => @file, :current => request.url)}')",
:title => l(:title_notifications_not_active_activate)) %>
<% end %>
<% end %>
@@ -48,6 +49,10 @@
<%= render(:partial => "file_new_revision") if User.current.allowed_to?(:file_manipulation, @file.project) %>
+<% form_tag({}, :id => "manipulation_form") do |f| %>
+<% end %>
+
+
<%= l(:heading_revisions) %>
<% @file.revisions[@revision_pages.current.offset,@revision_pages.items_per_page].each do |revision| %>
@@ -57,9 +62,9 @@
:title => l(:title_title_version_version_download, :title => h(revision.title), :version => revision.version)) %>
<% if User.current.allowed_to?(:file_approval, @project) %>
- <%= link_to(image_tag("delete.png", :plugin => "redmine_dmsf"),
- {:action => "delete_revision", :id => revision},
- :class => "delete-revision", :title => l(:title_delete_revision)) %>
+ <%= link_to_function(image_tag("delete.png", :plugin => "redmine_dmsf"),
+ "confirmation_link('#{url_for(:action => 'delete_revision', :id => revision)}', '#{l(:question_do_you_really_want_to_delete_this_revision)}')",
+ :title => l(:title_delete_revision)) %>
<% end %>
@@ -176,14 +181,14 @@ sUrl = "jquery.dataTables/#{I18n.locale.to_s.downcase}.json" if I18n.locale && !
jQuery.noConflict();
function manipulation_link(action) {
- jQuery("#new_revision_form").attr("action", action);
- jQuery("#new_revision_form").submit();
+ jQuery("#manipulation_form").attr("action", action);
+ jQuery("#manipulation_form").submit();
};
function confirmation_link(action, question) {
if(!window.confirm(question)) return;
- jQuery("#new_revision_form").attr("action", action);
- jQuery("#new_revision_form").submit();
+ jQuery("#manipulation_form").attr("action", action);
+ jQuery("#manipulation_form").submit();
};
<% end %>
\ No newline at end of file