rails3: use cookie to store csrf token

Victor Costa
1 parent e72c8f0e
Showing 3 changed files with 13 additions and 2 deletions Show diff stats
app/controllers/application_controller.rb
app/views/layouts/application-ng.html.erb
public/javascripts/application.js
@@ -8,6 +8,12 @@ class ApplicationController &lt; ActionController::Base
   before_filter :init_noosfero_plugins
   before_filter :allow_cross_domain_access
  
+  after_filter :set_csrf_cookie
+
+  def set_csrf_cookie
+    cookies['_noosfero_.XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery? && logged_in?
+  end
+
   def allow_cross_domain_access
     origin = request.headers['Origin']
     return if origin.blank?
@@ -91,6 +97,10 @@ class ApplicationController &lt; ActionController::Base
  
   protected
  
+  def verified_request?
+    super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
+  end
+
   def setup_multitenancy
     Noosfero::MultiTenancy.setup!(request.host)
   end
@@ -43,7 +43,6 @@
       DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
     </script>
  
-    <%= csrf_meta_tag %>
   </head>
   <body class="<%= h body_classes %>">
     <a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a>
@@ -511,7 +511,7 @@ jQuery(function($) {
   $.ajaxSetup({
     cache: false,
     headers: {
-      'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
+      'X-CSRF-Token': $.cookie("_noosfero_.XSRF-TOKEN")
     }
   });
  
@@ -523,6 +523,8 @@ jQuery(function($) {
       if (data.chat_enabled) {
         setInterval(function(){ $.getJSON('/account/user_data', chatOnlineUsersDataCallBack)}, 10000);
       }
+      $('head').append('<meta content="authenticity_token" name="csrf-param" />');
+      $('head').append('<meta content="'+$.cookie("_noosfero_.XSRF-TOKEN")+'" name="csrf-token" />');
     } else {
       // not logged in
       $('#user .not-logged-in, .login-block .not-logged-user').fadeIn();
...	...	@@ -8,6 +8,12 @@ class ApplicationController < ActionController::Base
8	8	before_filter :init_noosfero_plugins
9	9	before_filter :allow_cross_domain_access
10	10
	11	+ after_filter :set_csrf_cookie
	12	+
	13	+ def set_csrf_cookie
	14	+ cookies['_noosfero_.XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery? && logged_in?
	15	+ end
	16	+
11	17	def allow_cross_domain_access
12	18	origin = request.headers['Origin']
13	19	return if origin.blank?
...	...	@@ -91,6 +97,10 @@ class ApplicationController < ActionController::Base
91	97
92	98	protected
93	99
	100	+ def verified_request?
	101	+ super \|\| form_authenticity_token == request.headers['X-XSRF-TOKEN']
	102	+ end
	103	+
94	104	def setup_multitenancy
95	105	Noosfero::MultiTenancy.setup!(request.host)
96	106	end
...	...
...	...	@@ -43,7 +43,6 @@
43	43	DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
44	44	</script>
45	45
46		- <%= csrf_meta_tag %>
47	46	</head>
48	47	<body class="<%= h body_classes %>">
49	48	<a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a>
...	...
...	...	@@ -511,7 +511,7 @@ jQuery(function($) {
511	511	$.ajaxSetup({
512	512	cache: false,
513	513	headers: {
514		- 'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
	514	+ 'X-CSRF-Token': $.cookie("_noosfero_.XSRF-TOKEN")
515	515	}
516	516	});
517	517
...	...	@@ -523,6 +523,8 @@ jQuery(function($) {
523	523	if (data.chat_enabled) {
524	524	setInterval(function(){ $.getJSON('/account/user_data', chatOnlineUsersDataCallBack)}, 10000);
525	525	}
	526	+ $('head').append('<meta content="authenticity_token" name="csrf-param" />');
	527	+ $('head').append('<meta content="'+$.cookie("_noosfero_.XSRF-TOKEN")+'" name="csrf-token" />');
526	528	} else {
527	529	// not logged in
528	530	$('#user .not-logged-in, .login-block .not-logged-user').fadeIn();
...	...