From a54feb9c5828cd940df7115fbfba433d06defc99 Mon Sep 17 00:00:00 2001
From: Victor Dubiniuk <victor.dubiniuk@gmail.com>
Date: Mon, 7 Apr 2014 20:33:50 +0300
Subject: [PATCH] Add CSRF check

---
 ajax/documentController.php | 5 +++--
 js/ServerFactory.js         | 3 +--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ajax/documentController.php b/ajax/documentController.php
index 6a704a34..2413532e 100644
--- a/ajax/documentController.php
+++ b/ajax/documentController.php
@@ -53,14 +53,15 @@ class DocumentController extends Controller{
 	 * @param array $args - array containing session id as an element with a key es_id 
 	 */
 	public static function serve($args){
+		
 		$session = new Db_Session();
 		$sessionData = $session->load(@$args['es_id'])->getData();
 			
 		$file = new File(@$sessionData['file_id']);
 		if (!$file->isPublicShare()){
-			self::preDispatch(false);
+			self::preDispatch();
 		} else {
-			self::preDispatchGuest(false);
+			self::preDispatchGuest();
 		}
 		
 		$filename = isset($sessionData['genesis_url']) ? $sessionData['genesis_url'] : '';
diff --git a/js/ServerFactory.js b/js/ServerFactory.js
index 7c37949b..82740001 100644
--- a/js/ServerFactory.js
+++ b/js/ServerFactory.js
@@ -45,8 +45,7 @@ define("owncloud/ServerFactory", [
 
                 server = new PullBoxServer(args);
                 server.getGenesisUrl = function(sid) {
-                    // what a dirty hack :)
-                    return OC.generateUrl('apps/documents/ajax/genesis/{es_id}', {es_id: sid});
+                    return OC.generateUrl('apps/documents/ajax/genesis/{es_id}', {es_id: sid}) + '?requesttoken=' + oc_requesttoken;
                 };
                 return server;
             };