Add CSRF check

ajax/documentController.php

@@ -53,14 +53,15 @@ class DocumentController extends Controller{
 	 * @param array $args - array containing session id as an element with a key es_id 
 	 */
 	public static function serve($args){
+		
 		$session = new Db_Session();
 		$sessionData = $session->load(@$args['es_id'])->getData();
 			
 		$file = new File(@$sessionData['file_id']);
 		if (!$file->isPublicShare()){
-			self::preDispatch(false);
+			self::preDispatch();
 		} else {
-			self::preDispatchGuest(false);
+			self::preDispatchGuest();
 		}
 		
 		$filename = isset($sessionData['genesis_url']) ? $sessionData['genesis_url'] : '';

js/ServerFactory.js

@@ -45,8 +45,7 @@ define("owncloud/ServerFactory", [
 
                 server = new PullBoxServer(args);
                 server.getGenesisUrl = function(sid) {
-                    // what a dirty hack :)
-                    return OC.generateUrl('apps/documents/ajax/genesis/{es_id}', {es_id: sid});
+                    return OC.generateUrl('apps/documents/ajax/genesis/{es_id}', {es_id: sid}) + '?requesttoken=' + oc_requesttoken;
                 };
                 return server;
             };