From 32158d6ecb79b0bfd726744f7012869708ad94c9 Mon Sep 17 00:00:00 2001
From: Henrique Dias <hacdias@gmail.com>
Date: Tue, 5 Jul 2016 17:54:54 +0100
Subject: [PATCH] Update security measures by File Manager

---
 assets/public/js/application.js | 3 +++
 binary.go                       | 4 ++--
 hugo.go                         | 5 +++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/assets/public/js/application.js b/assets/public/js/application.js
index 0b0d8b8a..e0ed0812 100644
--- a/assets/public/js/application.js
+++ b/assets/public/js/application.js
@@ -37,6 +37,7 @@ document.addEventListener('listing', event => {
                 let request = new XMLHttpRequest();
                 request.open("POST", window.location);
                 request.setRequestHeader('Filename', name);
+                request.setRequestHeader('Token', token);
                 request.setRequestHeader('Archetype', archetype);
                 request.send();
                 request.onreadystatechange = function() {
@@ -87,6 +88,7 @@ document.addEventListener('editor', event => {
             let request = new XMLHttpRequest();
             request.open("PUT", window.location);
             request.setRequestHeader('Kind', kind);
+            request.setRequestHeader('Token', token);
             request.setRequestHeader('Schedule', date);
             request.send(JSON.stringify(data));
             request.onreadystatechange = function() {
@@ -112,6 +114,7 @@ document.addEventListener('editor', event => {
         let request = new XMLHttpRequest();
         request.open("PUT", window.location);
         request.setRequestHeader('Kind', kind);
+        request.setRequestHeader('Token', token);
         request.setRequestHeader('Regenerate', "true");
         request.send(JSON.stringify(data));
         request.onreadystatechange = function() {
diff --git a/binary.go b/binary.go
index 893ab9fe..c99b610b 100644
--- a/binary.go
+++ b/binary.go
@@ -89,7 +89,7 @@ func publicJsJsbeautifyrc() (*asset, error) {
 	return a, nil
 }
 
-var _publicJsApplicationJs = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xac\x58\x6d\x4f\xe3\x46\x10\xfe\x0c\x12\xff\x61\xeb\x56\x67\x5b\x17\x1c\xa0\x95\x2a\x41\x8c\x44\x8f\xab\xb8\x16\x4a\x75\x50\xa9\x52\x55\x89\x8d\x3d\x71\xf6\xb2\x59\xa7\xf6\x1a\x1a\xdd\xe5\xbf\x77\xc6\x6f\x79\x5b\x27\xf6\x51\x7f\x89\x93\xdd\xe7\xd9\x99\x67\xe7\x0d\xec\x2c\x05\x96\xea\x44\x04\xda\xbe\x38\x3a\x3c\x3a\x0c\xe3\x20\x9b\x82\xd2\x1e\x0f\xc3\xf7\xcf\xf8\x72\x2b\x52\x0d\x0a\x12\xc7\xbe\xbe\xbf\x7b\x17\x2b\x4d\xbf\xc5\x3c\x84\xd0\xee\x31\xa0\x1d\xcc\xbf\x64\x9f\x8f\x0e\x19\x3e\x12\x34\x93\x42\x4d\x98\xcf\x6a\xa2\x7f\x32\x48\xe6\x0f\x20\x21\xd0\x31\xb2\x8c\x01\xb1\x09\xbb\x64\xa1\x78\x3e\x1f\x89\x24\xd5\xc7\xc1\x58\xc8\x90\xf1\xd5\x6f\xb6\xeb\x45\xa0\xaf\x34\x5a\x36\xcc\x34\x20\x2c\x81\x91\xed\xb2\xb7\xcc\xea\xa7\xa0\xb5\x50\x51\xda\xb7\x8a\x43\xeb\x93\x10\xf1\x5e\x02\xbd\xfe\x34\xff\x10\x3a\xb6\x8c\xa3\x38\xd3\x48\x25\x54\x0a\x89\xbe\x0a\x3f\xf1\x00\x17\x6f\x1e\xef\x6e\x1d\x7b\x08\xa3\x38\x81\x21\x44\x42\xa1\x23\x4f\x03\xce\xe8\x08\xdf\xfa\xee\x33\x39\xb0\xb0\x2e\x0b\x72\xc6\x06\x68\x28\x0b\x24\x4f\x53\xdf\xe2\x81\x16\xb1\x5a\xae\xb1\x81\xa8\x96\xa6\x5c\x43\x22\xb8\x3c\x16\x41\xac\x52\xeb\xb2\xb2\x72\xd0\x17\x4b\xaa\x3e\x72\x55\xdf\x06\x7d\x7e\xf9\xe4\xa2\xe8\x0b\x77\x9f\xf2\x12\xdf\x90\xcb\x20\xb8\x18\x31\xe7\x45\xa8\x30\x7e\xf1\x64\x1c\x70\xb2\xce\x9b\x71\x3d\x56\x7c\x0a\xe8\x76\x20\xb3\x10\x52\xc7\xee\x07\xc5\xc5\xf5\x6d\xd7\xad\xa0\x3b\xa5\x53\xf0\x12\x8a\x04\xa5\x9b\x49\xd4\x6c\x1c\x4b\xba\x33\x9f\x59\x23\x21\xe1\xaf\x73\x9e\x04\x63\xd0\xf3\x19\xfc\xed\x79\x9e\x75\xd1\x85\x2f\x81\x69\xfc\x0c\x1b\xfe\x4d\x60\x8e\x1e\xd0\x3d\xe0\xbe\x6b\x91\xe4\xcb\x6e\x27\xde\x6d\xd1\x96\xa4\xab\xa2\x2d\x39\x2b\xf9\xf2\x55\x0f\x77\xbf\x8b\x43\x60\xbe\xcf\xce\x7e\x5c\xd3\xa8\xbd\x0d\x79\x24\x90\x01\x9e\x8e\xa3\x48\x62\xd4\x82\xe2\x43\x89\x99\xb2\xea\x4b\xf5\x60\x80\x3c\x8a\x29\x60\x84\x3a\x8e\xbb\x72\xa5\xdd\xcf\x7d\xe6\x32\x43\xcb\x99\x6d\x1b\x8e\x59\xf4\xd8\xd9\xc9\xc9\xa6\x01\x8b\x56\x4a\x9c\x7e\x6f\x54\xa2\xd8\x37\x4b\xf2\xcf\x6b\x18\xf1\x4c\x6a\xa7\x08\xe2\xcd\xad\x54\x10\x2a\xf3\x5a\x3a\x62\xf0\x81\x58\x30\xc8\xe1\x5f\x64\xc9\xf7\x78\xa8\xb4\xfe\x40\xbf\xdc\x8f\x1c\xfb\xdc\xa8\x2f\x81\x28\x0d\x6a\x4c\x9a\x0d\xa9\xd2\xa9\xc8\x39\xe9\x15\x74\x4d\xb0\x3a\xbe\x0d\xd8\xc2\x8e\xb7\xec\xb4\x57\x99\x02\x2a\xd2\x63\x13\x15\x69\x5a\x58\x80\x99\x63\xb9\x95\x35\x35\x7b\x03\xa4\xf4\xd4\x67\xc7\xa7\xee\x9a\x29\x96\xd5\xa8\x31\x16\x49\x1d\xab\x3d\x22\x37\xca\x34\xd6\x53\x89\xd8\x82\xc4\x0b\xc6\x5c\x45\xf0\x18\x53\x95\x27\x8f\x9b\x50\x09\x60\x69\x4f\x31\xb1\x28\x6b\xd9\x9f\x77\xb7\x37\x5a\xcf\x3e\x16\x3f\x1a\x41\x25\xc0\x8b\x67\xa0\x1c\xeb\xf7\xfb\x87\x47\xab\xc7\x36\xaa\xd7\x2e\x1c\x66\x4c\x49\x7f\x93\x37\x11\xc7\xfe\x19\xcb\x11\xa9\x4a\x95\x03\x3f\xba\x81\xaf\x2a\x69\x11\x5d\xcb\xbc\x9b\x42\x85\xbb\x1d\x53\x09\x72\xcf\x53\x8d\xbd\xa0\x50\x11\xc5\x19\x65\x2a\xef\x1a\x8e\x31\x97\xe8\xa1\x4b\xaf\x28\x72\x82\x07\x22\xa0\x08\xf8\xa1\x11\x43\xcf\xc6\x7d\x5d\xc7\x0a\x9c\x9a\x88\x8c\xc8\x52\xf6\x8d\x9f\xa7\x7f\x2f\xbf\x63\x93\xed\x26\x23\x4a\xac\x5f\x60\x77\x99\x40\xcf\xc6\x0d\xa2\xcb\x4d\x1d\x09\xd3\x86\x3e\x76\x58\xb1\x30\x2f\x19\x7e\x5e\x6c\x15\xb4\xfa\xb5\x72\x73\xd1\xa6\xb7\x42\x28\x70\x2e\x31\xb4\xd6\xc6\x4c\xc2\x5a\x30\x15\x4d\x63\x05\x1f\xe1\x18\x80\x71\x92\xcf\x14\x2b\x93\x43\x22\xa2\xb1\xa6\xc1\xe1\x80\x0d\xca\x64\x15\xa1\x6f\xcd\xb2\x21\x36\xf7\x71\xbe\x80\x2b\xe9\x8c\xab\xfc\xf5\x60\xd7\x60\xa1\xc2\x62\xa8\x20\x44\xbf\x86\x94\xe8\x92\x71\xb9\x80\x7b\x8a\x03\xcb\x2f\x34\x82\x3c\x2d\xab\x35\xdd\xbb\xd3\xe8\x6b\x88\x87\xe3\xd8\xf5\xe5\x4b\xb3\x1c\xe5\x81\xc5\x4e\x97\xbd\x79\xd3\xbc\xb5\xd4\xda\xf5\x70\x33\xc7\x84\xf4\x26\x18\x28\x79\x75\x0c\xe2\xe9\x0c\x6b\x0a\x58\xe6\xf1\x64\x63\x86\xfc\xb6\x20\x62\x5e\xae\xea\xae\x9b\xa8\xe7\xbb\x35\xd5\x53\x4c\xf6\x30\x93\x50\xc8\x7e\xc0\x56\x85\x3f\xd8\x31\xd3\x71\xc9\x93\x69\xa5\x3d\xc1\x96\xea\xd7\x24\x0f\x25\xf7\xea\xcd\x2c\xaf\xe0\x69\xbd\x4d\x36\xc7\x58\xc9\x62\x9c\x6c\x02\x29\x82\x89\x21\x62\xab\xa7\x65\x7f\xa6\x1a\x1e\xe6\x85\xa6\xd9\x8e\xe2\x56\x8d\x8d\x99\x02\x67\x5f\x50\x5c\x97\x41\x61\x1a\xa7\xf6\x9c\xbc\xc6\x60\x34\x60\x6b\x86\x21\x87\x68\xd0\xe5\x42\xe5\xd3\xea\xde\x38\xbc\xd8\xc6\x17\x11\xb9\xa4\x59\x0b\x55\xc3\xfe\xed\xc6\xbb\x19\xab\xd5\x55\x32\x8a\x87\xf5\xbf\x71\x9a\xae\x84\x53\xdb\x88\x93\xe9\xd9\xa7\xd4\x69\xe2\xa5\x75\x94\xd6\x60\x52\xb7\x6e\xde\xb9\x93\x6f\x74\xf1\x3f\x5a\x34\xf1\xe6\x1e\xfc\xab\xc8\x4b\x25\x89\xdb\x1e\x54\xa5\x18\x02\x29\x8a\x9a\x81\xd8\xae\x7f\x79\xb8\xff\xcd\x2b\x46\x37\x31\x9a\x3b\x24\xee\x96\x68\xaf\x68\xdf\x5f\xd3\xba\xff\x97\xb6\xdd\xae\xfd\xed\xe9\x64\x65\x8e\x75\x2e\x32\x2d\x0a\xcc\xce\xea\x10\x26\x58\x9c\x0d\x75\xa1\x11\x30\xc4\xc8\x9a\x1c\x97\xb0\xf2\x6f\xc8\xb5\xc0\x5c\xf1\xff\x35\x55\xa0\x4b\x05\x68\x97\xfd\xa5\xc4\xfb\x92\xff\x55\x89\xdf\x2d\xe9\x3b\x25\x7c\xc7\x64\xef\x9c\xe8\xcd\x80\x8f\x10\x51\x20\x52\xf9\xef\x31\x4b\x27\x19\xce\x06\x46\x60\x8b\x24\xff\xca\x04\xef\x9a\xdc\xaf\x4e\xec\xc5\x56\x40\x2f\xea\x7f\x10\xfd\x17\x00\x00\xff\xff\x3c\x39\x0e\x24\xaa\x13\x00\x00")
+var _publicJsApplicationJs = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xac\x58\x7f\x4f\xe3\x46\x10\xfd\x9b\x93\xf8\x0e\x5b\xb7\x3a\xdb\xba\xe0\x00\xad\x54\x09\x12\x24\x7a\x5c\xc5\xb5\x50\xaa\x83\x4a\x95\xaa\x4a\x6c\xec\x49\xb2\x97\xcd\x6e\x6a\xaf\xa1\xd1\x5d\xbe\x7b\x67\xfc\x2b\xbf\xd6\x89\x0d\xf5\x3f\x71\xb2\xfb\xde\xce\xbe\x9d\x7d\x33\xe0\xa6\x09\xb0\xc4\xc4\x22\x34\xee\xf9\xe1\x9b\xc3\x37\x91\x0e\xd3\x29\x28\x13\xf0\x28\xfa\xf0\x84\x2f\x37\x22\x31\xa0\x20\xf6\xdc\xab\xbb\xdb\xf7\x5a\x19\xfa\x4d\xf3\x08\x22\xb7\xc3\x80\x66\xb0\xfe\x05\xfb\x72\xf8\x86\xe1\x23\xc1\x30\x29\xd4\x84\xf5\x59\x45\xf4\x4f\x0a\xf1\xfc\x1e\x24\x84\x46\x23\xcb\x18\x10\x1b\xb3\x0b\x16\x89\xa7\xb3\xa1\x88\x13\x73\x14\x8e\x85\x8c\x18\x5f\xfd\xe6\xfa\xc1\x08\xcc\xa5\xc1\xc8\x06\xa9\x01\x84\xc5\x30\x74\x7d\xf6\x8e\x39\xdd\x04\x8c\x11\x6a\x94\x74\x9d\x7c\xd1\x6a\x25\x44\x7c\x90\x40\xaf\x3f\xcd\x3f\x46\x9e\x2b\xf5\x48\xa7\x06\xa9\x84\x4a\x20\x36\x97\xd1\x67\x1e\xe2\xe0\xf5\xc3\xed\x8d\xe7\x0e\x60\xa8\x63\x18\xc0\x48\x28\xdc\xc8\x63\x8f\x33\x5a\xa2\xef\x7c\xf7\x85\x36\xb0\x70\x2e\x72\x72\xc6\x7a\x18\x28\x0b\x25\x4f\x92\xbe\xc3\x43\x23\xb4\x5a\x8e\xb1\x9e\x28\x87\xa6\xdc\x40\x2c\xb8\x3c\x12\xa1\x56\x89\x73\x51\x46\xd9\xeb\x8a\x25\x55\x17\xb9\xca\x6f\xbd\x2e\xbf\x78\xf4\x51\xf4\x85\xbf\x4f\x79\x89\x6f\xc8\x65\x11\x5c\x0c\x99\xf7\x2c\x54\xa4\x9f\x03\xa9\x43\x4e\xd1\x05\x33\x6e\xc6\x8a\x4f\x01\xb7\x1d\xca\x34\x82\xc4\x73\xbb\x61\x7e\x70\x5d\xd7\xf7\x4b\xe8\x4e\xe9\x14\x3c\x47\x22\x46\xe9\x66\x12\x35\x1b\x6b\x49\x67\xd6\x67\xce\x50\x48\xf8\xeb\x8c\xc7\xe1\x18\xcc\x7c\x06\x7f\x07\x41\xe0\x9c\xb7\xe1\x8b\x61\xaa\x9f\x60\x63\x7f\x13\x98\xe3\x0e\xe8\x1c\x70\xde\x95\x88\xb3\x61\xbf\x15\xef\xb6\x68\x4b\xd2\x55\xd1\x96\x9c\xa5\x7c\xd9\x68\x80\xb3\xdf\xeb\x08\x58\xbf\xcf\x4e\x7f\x5c\xd3\xa8\x79\x0c\x59\x26\x50\x00\x81\xd1\xa3\x91\xc4\xac\x05\xc5\x07\x12\x6f\xca\xea\x5e\xca\x07\x13\xe4\x41\x4c\x01\x33\xd4\xf3\xfc\x95\x23\x6d\xbf\xee\x13\x97\x29\x46\xce\x5c\xd7\xb2\xcc\xa2\xc3\x4e\x8f\x8f\x37\x03\x58\x34\x52\xe2\xe4\x7b\xab\x12\xf9\xbc\x59\x9c\x7d\x5e\xc1\x90\xa7\xd2\x78\x79\x12\x6f\x4e\x25\x43\x28\xc3\x6b\xb8\x11\xcb\x1e\x88\x05\x93\x1c\xfe\x45\x96\x6c\x4e\x80\x4a\x9b\x8f\xf4\xcb\xdd\xd0\x73\xcf\xac\xfa\x12\x88\xae\x41\x85\x49\xd2\x01\x39\x9d\x1a\x79\xc7\x9d\x9c\xae\x0e\x56\xe5\xb7\x05\x9b\xc7\xf1\x8e\x9d\x74\xca\x50\x40\x8d\xcc\xd8\x46\x45\x9a\xe6\x11\xe0\xcd\x71\xfc\x32\x9a\x8a\xbd\x06\x52\xec\xb4\xcf\x8e\x4e\xfc\xb5\x50\x1c\xa7\x56\x63\x34\x49\xa3\xd5\x1e\x91\x6b\x65\x1a\x9b\xa9\x44\x6c\x4e\x12\x84\x63\xae\x46\xf0\xa0\xc9\xe5\x69\xc7\x75\xa8\x18\xd0\xda\x13\xbc\x58\x74\x6b\xd9\x9f\xb7\x37\xd7\xc6\xcc\x3e\xe5\x3f\x5a\x41\x05\x20\xd0\x33\x50\x9e\xf3\xfb\xdd\xfd\x83\xd3\x61\x1b\xee\xb5\x0b\x87\x37\xa6\xa0\xbf\xce\x8a\x88\xe7\xfe\x8c\x76\x44\xaa\x92\x73\xe0\x47\x3b\xf0\x83\x9e\x00\xd9\x83\xa1\xcf\x76\xd0\xcb\xf2\x54\x10\x5e\x9d\xd0\x6e\x0a\x15\xed\xd6\x44\xc5\xc8\x3d\x4f\x0c\x96\x91\xfc\x00\x50\xd7\x61\xaa\xb2\x82\xe3\x59\xaf\x21\x3d\x94\x2f\x25\x45\x46\x70\x4f\x04\x94\x3c\x3f\xd4\x62\xe8\xd9\x38\xea\x2b\xad\xc0\xab\x88\x28\x88\x34\x61\xdf\xf4\x33\xe7\xe8\x64\xe9\x61\x8b\xdd\x16\x44\x81\xed\xe7\xd8\x5d\x21\xd0\xb3\x71\xf8\xb8\xe5\xba\x62\x86\x37\x8e\x3e\x76\x44\xb1\xb0\x0f\x59\x7e\x5e\x6c\x79\x61\xf5\x5a\x6e\x73\xd1\xa4\x2c\x43\x24\xb0\xa5\xb1\x54\xe5\xda\x4b\x88\x36\x32\x15\x75\x1d\x09\x1f\x62\x07\x81\x79\x92\xb5\x23\x2b\x4d\x47\x2c\x46\x63\x43\x3d\xc7\x01\xeb\x15\xf7\x5c\x44\x7d\x67\x96\x0e\xb0\x2f\x18\x67\x03\x38\x92\xcc\xb8\xca\x5e\x0f\x76\xf5\x24\x2a\xca\xfb\x11\x42\x74\x2b\x48\x81\x2e\x18\x97\x03\x38\x27\x5f\xb0\xf8\x42\xdd\xcb\xe3\xd2\xe8\xe9\xdc\xbd\xda\xbd\x46\xb8\x38\x76\x6c\x5f\xbf\xd6\xcb\x51\x2c\x98\xcf\xf4\xd9\xdb\xb7\xf5\x53\x0b\xad\xfd\x00\x27\x73\xbc\x90\xc1\x04\x13\x25\x33\xd6\x50\x4f\x67\x68\x47\xe0\xd8\x3b\x9b\x8d\xf6\xf3\xdb\x9c\x88\x05\x99\xaa\xbb\x4e\xa2\x6a\x0d\xd7\x54\x4f\xf0\xb2\x47\xa9\x84\x5c\xf6\x03\xb6\x2a\xfc\xc1\x8e\x76\x90\x4b\x1e\x4f\x4b\xed\x09\xb6\x54\xbf\x22\xb9\x2f\xb8\x57\x4f\x66\x79\x04\x8f\xeb\x15\xb6\x3e\xc7\x0a\x16\x6b\x53\x14\x4a\x11\x4e\x2c\x19\x5b\x3e\x0d\x4b\x3b\xd9\x7f\x94\x19\x4d\x7d\x1c\xf9\xa9\x5a\x6b\x3a\x25\xce\xbe\xa4\xb8\x2a\x92\xc2\xd6\x89\xed\x59\x79\x8d\xc1\x1a\xc0\x56\xfb\x43\x1b\xa2\x1e\x99\x0b\x95\x35\xba\x7b\xf3\xf0\x7c\x1b\x9f\x67\xe4\x92\x66\x2d\x55\x2d\xf3\xb7\x6b\xf6\x66\xae\x96\x47\xc9\x28\x1f\xd6\xff\x3c\xaa\x3b\x12\x4e\x65\x43\xc7\xd3\xd3\xcf\x89\x57\xc7\x4b\xe3\x28\xad\x25\xa4\x76\x8d\x40\xeb\x26\x60\xa3\x01\xf8\xa3\x41\xfd\xaf\xaf\xc1\xbf\x8a\xcc\x2a\x49\xdc\xe6\xa0\x9d\x35\xbf\x1e\x56\xde\x4c\x44\x52\xf2\xd5\x03\xb1\xca\xff\x72\x7f\xf7\x5b\x90\x37\x8b\x62\x38\xf7\xe8\x4c\xb6\xb4\x7e\x45\xd5\x7f\x49\xc5\xff\x5f\xaa\x7d\xb3\xaa\xb9\xa7\x00\x16\x57\xb3\xb5\x37\x35\xf0\xa5\x9d\xa6\x12\xc5\xe8\xe9\x16\x3b\xa9\x05\x0c\x30\x21\x27\x47\x05\xac\xf8\xab\x75\x2d\x9f\x57\xf6\xff\x1a\xf3\x68\x63\x1c\xcd\x4c\xa3\x90\x78\x9f\x67\xbc\xca\x2f\xda\x79\x45\x2b\x9f\x68\xe9\x11\xad\xfd\xe1\x05\xde\x50\x0f\xf9\x04\x23\xca\x5d\x2a\x34\x1d\xe6\x98\x38\xc5\x2e\xc4\x0a\x6c\xe0\x0b\x2f\xf4\x84\xb6\x7e\xf0\x6a\x2f\x58\x6c\xdd\x81\x45\xf5\x5f\xac\xff\x02\x00\x00\xff\xff\x89\x60\xdb\x69\x4f\x14\x00\x00")
 
 func publicJsApplicationJsBytes() ([]byte, error) {
 	return bindataRead(
@@ -104,7 +104,7 @@ func publicJsApplicationJs() (*asset, error) {
 		return nil, err
 	}
 
-	info := bindataFileInfo{name: "public/js/application.js", size: 5034, mode: os.FileMode(438), modTime: time.Unix(1467385816, 0)}
+	info := bindataFileInfo{name: "public/js/application.js", size: 5199, mode: os.FileMode(438), modTime: time.Unix(1467737568, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
diff --git a/hugo.go b/hugo.go
index 371ae4b4..079743d8 100644
--- a/hugo.go
+++ b/hugo.go
@@ -74,6 +74,10 @@ func (h Hugo) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 		}
 
 		if r.Method == http.MethodPost && r.Header.Get("archetype") != "" {
+			if !h.FileManager.Configs[0].CheckToken(r) {
+				return http.StatusForbidden, nil
+			}
+
 			filename := r.Header.Get("Filename")
 			archetype := r.Header.Get("archetype")
 
@@ -94,6 +98,7 @@ func (h Hugo) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 		}
 
 		if directory.CanBeEdited(r.URL.Path) && r.Method == http.MethodPut {
+			// NOTE: File Manager already checks the security token
 			code, err := h.FileManager.ServeHTTP(w, r)
 
 			if err != nil {