From 64b263c5fee104c59d81c4535b745cb98abdafa7 Mon Sep 17 00:00:00 2001
From: team 1 <team1@mitho-media.de>
Date: Wed, 18 Feb 2026 08:52:19 +0100
Subject: [PATCH] fix csrf token handling in controllers

---
 src/Controller/Admin/DocumentController.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Controller/Admin/DocumentController.php b/src/Controller/Admin/DocumentController.php
index fde5f28..a581cb0 100644
--- a/src/Controller/Admin/DocumentController.php
+++ b/src/Controller/Admin/DocumentController.php
@@ -234,7 +234,7 @@ class DocumentController extends AbstractController
     ): RedirectResponse
     {
 
-        if (!$this->isCsrfTokenValid('activate_version', $request->request->get('_token'))) {
+        if (!$this->isCsrfTokenValid('activate_version_'.$versionId, $request->request->get('_token'))) {
             throw $this->createAccessDeniedException();
         }
 
@@ -313,7 +313,7 @@ class DocumentController extends AbstractController
     ): ?RedirectResponse
     {
         $dryRun = false;
-        if (!$this->isCsrfTokenValid('ingest_version', $request->request->get('_token'))) {
+        if (!$this->isCsrfTokenValid('ingest_version_'.$versionId, $request->request->get('_token'))) {
             throw $this->createAccessDeniedException();
         }
 
@@ -427,7 +427,7 @@ class DocumentController extends AbstractController
         LockService            $lockService,
     ): RedirectResponse
     {
-        if (!$this->isCsrfTokenValid('delete_document', $request->request->get('_token'))) {
+        if (!$this->isCsrfTokenValid('delete_document_' . $id, $request->request->get('_token'))) {
             throw $this->createAccessDeniedException();
         }