Commit b8f3f3f3a0f3d152424f21e8eaf8c6c00f33895d
1 parent
a1e9a849
Exists in
staging
and in
2 other branches
Fix csrf token verification
Showing
2 changed files
with
7 additions
and
1 deletions
Show diff stats
app/controllers/application_controller.rb
| ... | ... | @@ -107,7 +107,7 @@ class ApplicationController < ActionController::Base |
| 107 | 107 | protected |
| 108 | 108 | |
| 109 | 109 | def verified_request? |
| 110 | - super || form_authenticity_token == request.headers['X-XSRF-TOKEN'] | |
| 110 | + super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN']) | |
| 111 | 111 | end |
| 112 | 112 | |
| 113 | 113 | def setup_multitenancy | ... | ... |
public/javascripts/application.js
| ... | ... | @@ -568,6 +568,12 @@ function userDataCallback(data) { |
| 568 | 568 | // logged in |
| 569 | 569 | jQuery('head').append('<meta content="authenticity_token" name="csrf-param" />'); |
| 570 | 570 | jQuery('head').append('<meta content="'+jQuery.cookie("_noosfero_.XSRF-TOKEN")+'" name="csrf-token" />'); |
| 571 | + jQuery.ajaxSetup({ | |
| 572 | + cache: false, | |
| 573 | + headers: { | |
| 574 | + 'X-XSRF-TOKEN': jQuery.cookie("_noosfero_.XSRF-TOKEN") | |
| 575 | + } | |
| 576 | + }); | |
| 571 | 577 | } |
| 572 | 578 | if (data.notice) { |
| 573 | 579 | display_notice(data.notice); | ... | ... |
-
mentioned in commit 6c181fbb05d77815ed787cf47a212392cbe86b16
