From 3d2966c18131050502b3b20c549fe46ccf62d362 Mon Sep 17 00:00:00 2001
From: Flavio Copes <copesc@gmail.com>
Date: Sun, 22 Nov 2015 17:41:46 +0100
Subject: [PATCH] Last nonce fixes

---
 classes/controller.php      | 2 +-
 themes/grav/js/admin-all.js | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/classes/controller.php b/classes/controller.php
index f4be5409..94f9326b 100644
--- a/classes/controller.php
+++ b/classes/controller.php
@@ -266,7 +266,7 @@ class AdminController
 
         $author = $this->grav['config']->get('site.author.name', '');
         $fullname = $user->fullname ?: $username;
-        $reset_link = rtrim($this->grav['uri']->rootUrl(true), '/') . '/' . trim($this->admin->base, '/') . '/reset/task' . $param_sep . 'reset/user'. $param_sep . $username . '/token' . $param_sep . $token;
+        $reset_link = rtrim($this->grav['uri']->rootUrl(true), '/') . '/' . trim($this->admin->base, '/') . '/reset/task' . $param_sep . 'reset/user'. $param_sep . $username . '/token' . $param_sep . $token . '/admin-nonce' . $param_sep . Utils::getNonce('admin-form');
 
         $sitename = $this->grav['config']->get('site.title', 'Website');
         $from = $this->grav['config']->get('plugins.email.from', 'noreply@getgrav.org');
diff --git a/themes/grav/js/admin-all.js b/themes/grav/js/admin-all.js
index 1516dfbe..5c1b9f0f 100644
--- a/themes/grav/js/admin-all.js
+++ b/themes/grav/js/admin-all.js
@@ -21,7 +21,9 @@ var bytesToSize = function(bytes) {
 var isFirefox = navigator.userAgent.toLowerCase().indexOf('firefox') > -1;
 
 var keepAlive = function keepAlive() {
-    $.post(GravAdmin.config.base_url_relative + '/task' + GravAdmin.config.param_sep + 'keepAlive');
+    $.post(GravAdmin.config.base_url_relative + '/task' + GravAdmin.config.param_sep + 'keepAlive', {
+        'admin-nonce': GravAdmin.config.admin_nonce
+    });
 };
 
 $(function () {
@@ -296,7 +298,7 @@ $(function () {
                 if (grav.isUpdatable) {
                     var icon    = '<i class="fa fa-bullhorn"></i> ';
                         content = 'Grav <b>v{available}</b> ' + translations.PLUGIN_ADMIN.IS_NOW_AVAILABLE + '! <span class="less">(' + translations.PLUGIN_ADMIN.CURRENT + ': v{version})</span> ',
-                        button  = '<button data-maintenance-update="' + GravAdmin.config.base_url_relative + '/update.json/' + task + 'updategrav" class="button button-small secondary" id="grav-update-button">' + translations.PLUGIN_ADMIN.UPDATE_GRAV_NOW + '</button>';
+                        button  = '<button data-maintenance-update="' + GravAdmin.config.base_url_relative + '/update.json/' + task + 'updategrav/admin-nonce' + GravAdmin.config.param_sep + GravAdmin.config.admin_nonce + '" class="button button-small secondary" id="grav-update-button">' + translations.PLUGIN_ADMIN.UPDATE_GRAV_NOW + '</button>';
 
                     if (grav.isSymlink) {
                         button = '<span class="hint--left" style="float: right;" data-hint="' + translations.PLUGIN_ADMIN.GRAV_SYMBOLICALLY_LINKED + '"><i class="fa fa-fw fa-link"></i></span>';