Commit b8f3f3f3a0f3d152424f21e8eaf8c6c00f33895d
1 parent
a1e9a849
Exists in
staging
and in
2 other branches
Fix csrf token verification
Showing
2 changed files
with
7 additions
and
1 deletions
Show diff stats
app/controllers/application_controller.rb
| @@ -107,7 +107,7 @@ class ApplicationController < ActionController::Base | @@ -107,7 +107,7 @@ class ApplicationController < ActionController::Base | ||
| 107 | protected | 107 | protected |
| 108 | 108 | ||
| 109 | def verified_request? | 109 | def verified_request? |
| 110 | - super || form_authenticity_token == request.headers['X-XSRF-TOKEN'] | 110 | + super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN']) |
| 111 | end | 111 | end |
| 112 | 112 | ||
| 113 | def setup_multitenancy | 113 | def setup_multitenancy |
public/javascripts/application.js
| @@ -568,6 +568,12 @@ function userDataCallback(data) { | @@ -568,6 +568,12 @@ function userDataCallback(data) { | ||
| 568 | // logged in | 568 | // logged in |
| 569 | jQuery('head').append('<meta content="authenticity_token" name="csrf-param" />'); | 569 | jQuery('head').append('<meta content="authenticity_token" name="csrf-param" />'); |
| 570 | jQuery('head').append('<meta content="'+jQuery.cookie("_noosfero_.XSRF-TOKEN")+'" name="csrf-token" />'); | 570 | jQuery('head').append('<meta content="'+jQuery.cookie("_noosfero_.XSRF-TOKEN")+'" name="csrf-token" />'); |
| 571 | + jQuery.ajaxSetup({ | ||
| 572 | + cache: false, | ||
| 573 | + headers: { | ||
| 574 | + 'X-XSRF-TOKEN': jQuery.cookie("_noosfero_.XSRF-TOKEN") | ||
| 575 | + } | ||
| 576 | + }); | ||
| 571 | } | 577 | } |
| 572 | if (data.notice) { | 578 | if (data.notice) { |
| 573 | display_notice(data.notice); | 579 | display_notice(data.notice); |