Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

2025-02-06 07:04:57 +00:00 · 2021-01-25 10:09:47 +01:00 · 2021-01-25 10:09:47 +01:00 · 590a93525c
commit 590a93525c
parent 518eecde18 4b91c390c3
25 changed files with 165 additions and 57 deletions
--- a/1
+++ b/1
@ -192,6 +192,7 @@
  meta data
 - fix potential clickjacking attack with manipulated email address of a user
 - loading more items on ViewFolder page obeys sort order
+- fix possible csrf attacks due to missing form token

 --------------------------------------------------------------------------------
                     Changes in version 5.1.21
--- a/op/op.AddDocumentLink.php
+++ b/op/op.AddDocumentLink.php
@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('adddocumentlink', 'GET')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.AddEvent.php
+++ b/op/op.AddEvent.php
@ -34,6 +34,11 @@ if ($user->isGuest()) {
 	UI::exitError(getMLText("edit_event"),getMLText("access_denied"));
 }

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('addevent')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["from"]) && !(isset($_POST["frommonth"]) && isset($_POST["fromday"]) && isset($_POST["fromyear"])) ) {
 	UI::exitError(getMLText("add_event"),getMLText("error_occured"));
 }
--- a/op/op.ChangePassword.php
+++ b/op/op.ChangePassword.php
@ -38,6 +38,11 @@ function _printMessage($heading, $message) {
 	return;
 }

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('changepassword')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (isset($_POST["hash"])) {
 	$hash = $_POST["hash"];
 }
--- a/op/op.EditDocument.php
+++ b/op/op.EditDocument.php
@ -32,6 +32,11 @@ include("../inc/inc.Authentication.php");
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('editdocument')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.EditFolder.php
+++ b/op/op.EditFolder.php
@ -32,6 +32,11 @@ include("../inc/inc.Authentication.php");
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('editfolder')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["folderid"]) || !is_numeric($_POST["folderid"]) || intval($_POST["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
--- a/op/op.EditUserData.php
+++ b/op/op.EditUserData.php
@ -37,6 +37,11 @@ if (!$user->isAdmin() && ($settings->_disableSelfEdit)) {
 	UI::exitError(getMLText("edit_user_details"),getMLText("access_denied"));
 }

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('edituserdata')) {
+	UI::exitError(getMLText("edit_user_details"),getMLText("invalid_request_token"));
+}
+
 $fullname = $_POST["fullname"];
 $email    = $_POST["email"];
 $comment  = $_POST["comment"];
--- a/op/op.MoveDocument.php
+++ b/op/op.MoveDocument.php
@ -20,6 +20,7 @@

 include("../inc/inc.Settings.php");
 include("../inc/inc.LogInit.php");
+include("../inc/inc.Utils.php");
 include("../inc/inc.Language.php");
 include("../inc/inc.Init.php");
 include("../inc/inc.Extension.php");
@ -27,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('movedocument', 'GET')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
@ -62,46 +68,48 @@ if($document->isLocked()) {
 	}
 }

+if ($targetid == $oldFolder->getID()) {
+	UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("target_equals_source_folder"));
+}
+
 /* Check if name already exists in the folder */
 if(!$settings->_enableDuplicateDocNames) {
 	if($targetFolder->hasDocumentByName($document->getName())) {
-		UI::exitError(getMLText("folder_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("document_duplicate_name"));
+		UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("document_duplicate_name"));
 	}
 }

-if ($targetid != $oldFolder->getID()) {
-	if ($document->setFolder($targetFolder)) {
-		// Send notification to subscribers.
-		if($notifier) {
-			$nl1 = $oldFolder->getNotifyList();
-			$nl2 = $document->getNotifyList();
-			$nl3 = $targetFolder->getNotifyList();
-			$nl = array(
-				'users'=>array_unique(array_merge($nl1['users'], $nl2['users'], $nl3['users']), SORT_REGULAR),
-				'groups'=>array_unique(array_merge($nl1['groups'], $nl2['groups'], $nl3['groups']), SORT_REGULAR)
-			);
-			$subject = "document_moved_email_subject";
-			$message = "document_moved_email_body";
-			$params = array();
-			$params['name'] = $document->getName();
-			$params['old_folder_path'] = $oldFolder->getFolderPathPlain();
-			$params['new_folder_path'] = $targetFolder->getFolderPathPlain();
-			$params['username'] = $user->getFullName();
-			$params['url'] = getBaseUrl().$settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
-			$params['sitename'] = $settings->_siteName;
-			$params['http_root'] = $settings->_httpRoot;
-			$notifier->toList($user, $nl["users"], $subject, $message, $params);
-			foreach ($nl["groups"] as $grp) {
-				$notifier->toGroup($user, $grp, $subject, $message, $params);
-			}
-			// if user is not owner send notification to owner
+if ($document->setFolder($targetFolder)) {
+	// Send notification to subscribers.
+	if($notifier) {
+		$nl1 = $oldFolder->getNotifyList();
+		$nl2 = $document->getNotifyList();
+		$nl3 = $targetFolder->getNotifyList();
+		$nl = array(
+			'users'=>array_unique(array_merge($nl1['users'], $nl2['users'], $nl3['users']), SORT_REGULAR),
+			'groups'=>array_unique(array_merge($nl1['groups'], $nl2['groups'], $nl3['groups']), SORT_REGULAR)
+		);
+		$subject = "document_moved_email_subject";
+		$message = "document_moved_email_body";
+		$params = array();
+		$params['name'] = $document->getName();
+		$params['old_folder_path'] = $oldFolder->getFolderPathPlain();
+		$params['new_folder_path'] = $targetFolder->getFolderPathPlain();
+		$params['username'] = $user->getFullName();
+		$params['url'] = getBaseUrl().$settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
+		$params['sitename'] = $settings->_siteName;
+		$params['http_root'] = $settings->_httpRoot;
+		$notifier->toList($user, $nl["users"], $subject, $message, $params);
+		foreach ($nl["groups"] as $grp) {
+			$notifier->toGroup($user, $grp, $subject, $message, $params);
+		}
+		// if user is not owner send notification to owner
 //			if ($user->getID() != $document->getOwner()->getID()) 
 //				$notifier->toIndividual($user, $document->getOwner(), $subject, $message, $params);
-		}
-
-	} else {
-		UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
 	}
+
+} else {
+	UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
 }

 add_log_line();
--- a/op/op.MoveFolder.php
+++ b/op/op.MoveFolder.php
@ -20,6 +20,7 @@

 include("../inc/inc.Settings.php");
 include("../inc/inc.LogInit.php");
+include("../inc/inc.Utils.php");
 include("../inc/inc.Language.php");
 include("../inc/inc.Init.php");
 include("../inc/inc.Extension.php");
@ -27,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('movefolder', 'GET')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET["folderid"])<1) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }
@ -52,6 +58,11 @@ if (!is_object($targetFolder)) {
 	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
 }

+$oldFolder = $folder->getParent();
+if ($targetid == $oldFolder->getID()) {
+	UI::exitError(getMLText("folder_title", array("foldername" => htmlspecialchars($folder->getName()))),getMLText("target_equals_source_folder"));
+}
+
 if($folder->isSubFolder($targetFolder)) {
 	UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("invalid_target_folder"));
 }
@ -67,7 +78,6 @@ if(!$settings->_enableDuplicateSubFolderNames) {
 	}
 }

-$oldFolder = $folder->getParent();
 if ($folder->setParent($targetFolder)) {
 	// Send notification to subscribers.
 	if($notifier) {
--- a/op/op.OverrideContentStatus.php
+++ b/op/op.OverrideContentStatus.php
@ -34,6 +34,12 @@ $accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
 if(!$accessop->check_controller_access($tmp[1] /*$controller*/)) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
 }
+
+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('overridecontentstatus')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.SetExpires.php
+++ b/op/op.SetExpires.php
@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('setexpires')) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (!isset($_POST["documentid"]) || !is_numeric($_POST["documentid"]) || intval($_POST["documentid"])<1) {
 	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
 }
--- a/op/op.Settings.php
+++ b/op/op.Settings.php
@ -44,6 +44,11 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }

+/* Check if the form data comes from a trusted request */
+if(!checkFormKey('savesettings')) {
+	UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
+}
+
 if (isset($_POST["action"])) $action=$_POST["action"];
 else if (isset($_GET["action"])) $action=$_GET["action"];
 else $action=NULL;
--- a/views/bootstrap/class.AddEvent.php
+++ b/views/bootstrap/class.AddEvent.php
@ -84,6 +84,7 @@ $(document).ready(function() {
 ?>

 <form class="form-horizontal" action="../op/op.AddEvent.php" id="form1" name="form1" method="post">
+		<?php echo createHiddenFieldWithKey('addevent'); ?>

 <?php
 		$this->formField(
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@ -2486,6 +2486,21 @@ $(function() {
 		return '';
 	} /* }}} */

+	function printAccessButton($object, $return=false) { /* {{{ */
+		$content = '';
+		$objid = $object->getId();
+		if($object->isType('document')) {
+			$content .= '<a class="access-document-btn" href="../out/out.DocumentAccess.php?documentid='.$objid.'" title="'.getMLText('edit_document_access').'"><i class="fa fa-bolt"></i></a>';
+		} elseif($object->isType('folder')) {
+			$content .= '<a class="access-folder-btn" href="../out/out.FolderAccess.php?folderid='.$objid.'" title="'.getMLText('edit_folder_access').'"><i class="fa fa-bolt"></i></a>';
+		}
+		if($return)
+			return $content;
+		else
+			echo $content;
+		return '';
+	} /* }}} */
+
 	/**
 	 * Output left-arrow with link which takes over a number of ids into
 	 * a select box.
@ -2936,6 +2951,9 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 			if($document->getAccessMode($user) >= M_READWRITE) {
 				$content .= $this->printLockButton($document, 'splash_document_locked', 'splash_document_unlocked', true);
 			}
+			if($document->getAccessMode($user) >= M_READWRITE) {
+				$content .= $this->printAccessButton($document, true);
+			}
 			if($enableClipboard) {
 				$content .= '<a class="addtoclipboard" rel="D'.$docID.'" msg="'.getMLText('splash_added_to_clipboard').'" title="'.getMLText("add_to_clipboard").'"><i class="fa fa-copy"></i></a>';
 			}
@ -3065,6 +3083,9 @@ $('body').on('click', '[id^=\"table-row-folder\"] td:nth-child(2)', function(ev)
 		} else {
 			$content .= '<span style="padding: 2px; color: #CCC;"><i class="fa fa-edit"></i></span>';
 		}
+		if($subFolderAccessMode >= M_READWRITE) {
+			$content .= $this->printAccessButton($subFolder, true);
+		}
 		if($enableClipboard) {
 			$content .= '<a class="addtoclipboard" rel="F'.$subFolder->getID().'" msg="'.getMLText('splash_added_to_clipboard').'" title="'.getMLText("add_to_clipboard").'"><i class="fa fa-copy"></i></a>';
 		}
--- a/views/bootstrap/class.ChangePassword.php
+++ b/views/bootstrap/class.ChangePassword.php
@ -51,6 +51,7 @@ document.form1.newpassword.focus();
 		$this->contentContainerStart();
 ?>
 <form class="form-horizontal" action="../op/op.ChangePassword.php" method="post" name="form1">
+	<?php echo createHiddenFieldWithKey('changepassword'); ?>
 <?php
 		if ($referuri) {
 			echo "<input type='hidden' name='referuri' value='".$referuri."'/>";
--- a/views/bootstrap/class.EditDocument.php
+++ b/views/bootstrap/class.EditDocument.php
@ -90,6 +90,7 @@ $(document).ready( function() {
 			$expdate = '';
 ?>
 <form class="form-horizontal" action="../op/op.EditDocument.php" name="form1" id="form1" method="post">
+		<?php echo createHiddenFieldWithKey('editdocument'); ?>
 	<input type="hidden" name="documentid" value="<?php echo $document->getID() ?>">
 <?php
 		$this->formField(
--- a/views/bootstrap/class.EditFolder.php
+++ b/views/bootstrap/class.EditFolder.php
@ -81,6 +81,7 @@ $(document).ready(function() {
 		$this->contentContainerStart();
 ?>
 <form class="form-horizontal" action="../op/op.EditFolder.php" id="form1" name="form1" method="post">
+		<?php echo createHiddenFieldWithKey('editfolder'); ?>
 		<input type="hidden" name="folderid" value="<?php print $folder->getID();?>">
 		<input type="hidden" name="showtree" value="<?php echo showtree();?>">
 <?php
--- a/views/bootstrap/class.EditUserData.php
+++ b/views/bootstrap/class.EditUserData.php
@ -103,6 +103,7 @@ $(document).ready( function() {
 		$this->contentContainerStart();
 ?>
 <form class="form-horizontal" action="../op/op.EditUserData.php" enctype="multipart/form-data" method="post" id="form">
+	<?php echo createHiddenFieldWithKey('edituserdata'); ?>
 <?php
 		$this->formField(
 			getMLText("current_password"),
--- a/views/bootstrap/class.ForcePasswordChange.php
+++ b/views/bootstrap/class.ForcePasswordChange.php
@ -77,31 +77,42 @@ $(document).ready( function() {
 		echo "<div class=\"alert\">".getMLText('password_expiration_text')."</div>";
 		$this->contentContainerStart();
 ?>
-<form action="../op/op.EditUserData.php" method="post" id="form" name="form1">
-<table>
-	<tr>
-		<td><?php printMLText("current_password");?>:</td>
-		<td><input id="currentpwd" type="Password" name="currentpwd" size="30"></td>
-	</tr>
-	<tr>
-		<td><?php printMLText("password");?>:</td>
-		<td><input id="pwd" class="pwd" type="Password" rel="strengthbar" name="pwd" size="30"></td>
-	</tr>
-		<tr>
-			<td><?php printMLText("password_strength");?>:</td>
-			<td>
-				<div id="strengthbar" class="progress" style="width: 220px; height: 30px; margin-bottom: 8px;"><div class="bar bar-danger" style="width: 0%;"></div></div>
-			</td>
-		</tr>
-	<tr>
-		<td><?php printMLText("confirm_pwd");?>:</td>
-		<td><input id="pwdconf" type="Password" name="pwdconf" size="30"></td>
-	</tr>
-	<tr>
-		<td></td>
-		<td><input class="btn" type="submit" value="<?php printMLText("submit_userinfo") ?>"></td>
-	</tr>
-</table>
+<form class="form-horizontal" action="../op/op.EditUserData.php" method="post" id="form" name="form1">
+	<?php echo createHiddenFieldWithKey('edituserdata'); ?>
+<?php
+		$this->formField(
+			getMLText("current_password"),
+			array(
+				'element'=>'input',
+				'type'=>'password',
+				'id'=>'currentpwd',
+				'name'=>'currentpwd',
+				'autocomplete'=>'off',
+				'required'=>true
+			)
+		);
+		$this->formField(
+			getMLText("new_password"),
+			'<input class="pwd" type="password" rel="strengthbar" id="pwd" name="pwd" size="30">'
+		);
+		if($passwordstrength) {
+			$this->formField(
+				getMLText("password_strength"),
+				'<div id="strengthbar" class="progress" style="width: 220px; height: 30px; margin-bottom: 8px;"><div class="bar bar-danger" style="width: 0%;"></div></div>'
+			);
+		}
+		$this->formField(
+			getMLText("confirm_pwd"),
+			array(
+				'element'=>'input',
+				'type'=>'password',
+				'id'=>'pwdconf',
+				'name'=>'pwdconf',
+				'autocomplete'=>'off',
+			)
+		);
+		$this->formSubmit("<i class=\"fa fa-save\"></i> ".getMLText('submit_password'));
+?>
 <input type="hidden" name="fullname" value="<?php print htmlspecialchars($user->getFullName());?>" />
 <input type="hidden" name="email" value="<?php print htmlspecialchars($user->getEmail());?>" />
 <input type="hidden" name="comment" value="<?php print htmlspecialchars($user->getComment());?>" />
--- a/views/bootstrap/class.MoveDocument.php
+++ b/views/bootstrap/class.MoveDocument.php
@ -52,6 +52,7 @@ class SeedDMS_View_MoveDocument extends SeedDMS_Bootstrap_Style {
 		$this->contentContainerStart('warning');
 ?>
 <form class="form-horizontal" action="../op/op.MoveDocument.php" name="form1">
+	<?php echo createHiddenFieldWithKey('movedocument'); ?>
 	<input type="hidden" name="documentid" value="<?php print $document->getID();?>">
 <?php
 		$this->formField(getMLText("choose_target_folder"), $this->getFolderChooserHtml("form1", M_READWRITE, -1, $target));
--- a/views/bootstrap/class.MoveFolder.php
+++ b/views/bootstrap/class.MoveFolder.php
@ -52,6 +52,7 @@ class SeedDMS_View_MoveFolder extends SeedDMS_Bootstrap_Style {

 ?>
 <form class="form-horizontal" action="../op/op.MoveFolder.php" name="form1">
+	<?php echo createHiddenFieldWithKey('movefolder'); ?>
 	<input type="hidden" name="folderid" value="<?php print $folder->getID();?>">
 	<input type="hidden" name="showtree" value="<?php echo showtree();?>">
 <?php
--- a/views/bootstrap/class.OverrideContentStatus.php
+++ b/views/bootstrap/class.OverrideContentStatus.php
@ -85,6 +85,7 @@ $(document).ready(function() {
 // Display the Review form.
 ?>
 <form class="form-horizontal" method="post" action="../op/op.OverrideContentStatus.php" id="form1" name="form1">
+	<?php echo createHiddenFieldWithKey('overridecontentstatus'); ?>
 	<input type='hidden' name='documentid' value='<?php echo $document->getID() ?>'/>
 	<input type='hidden' name='version' value='<?php echo $content->getVersion() ?>'/>
 <?php
--- a/views/bootstrap/class.SetExpires.php
+++ b/views/bootstrap/class.SetExpires.php
@ -66,6 +66,7 @@ $(document).ready( function() {

 <form class="form-horizontal" action="../op/op.SetExpires.php" method="post">
 <input type="hidden" name="documentid" value="<?php print $document->getID();?>">
+	<?php echo createHiddenFieldWithKey('setexpires'); ?>
 <?php
 		$options = array();
 		$options[] = array('never', getMLText('does_not_expire'));
--- a/views/bootstrap/class.Settings.php
+++ b/views/bootstrap/class.Settings.php
@ -256,6 +256,7 @@ class SeedDMS_View_Settings extends SeedDMS_Bootstrap_Style {

 ?>
  <form action="../op/op.Settings.php" method="post" enctype="multipart/form-data" name="form0" >
+	<?php echo createHiddenFieldWithKey('savesettings'); ?>
  <input type="hidden" name="action" value="saveSettings" />
 	<input type="hidden" id="currenttab" name="currenttab" value="<?php echo $currenttab ? $currenttab : 'site'; ?>" />
 <?php
--- a/views/bootstrap/class.ViewDocument.php
+++ b/views/bootstrap/class.ViewDocument.php
@ -1810,6 +1810,7 @@ class SeedDMS_View_ViewDocument extends SeedDMS_Bootstrap_Style {
 			<br>
 			<form action="../op/op.AddDocumentLink.php" name="form1" class="form-horizontal">
 			<input type="hidden" name="documentid" value="<?php print $documentid;?>">
+			<?php echo createHiddenFieldWithKey('adddocumentlink'); ?>
 			<?php $this->formField(getMLText("add_document_link"), $this->getDocumentChooserHtml("form1")); ?>
 			<?php
 			if ($document->getAccessMode($user) >= M_READWRITE) {