Download as
Browse Code »

Commit 409f4f8a9edc0a5208e9ebbab0e8c219f539d83e

Authored by Victor Costa
1 parent e72c8f0e
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

rails3: use cookie to store csrf token

Showing 3 changed files with 13 additions and 2 deletions   Show diff stats
app/controllers/application_controller.rb
  Diff comments   View file @409f4f8
... ... @@ -8,6 +8,12 @@ class ApplicationController < ActionController::Base
8 8 before_filter :init_noosfero_plugins
9 9 before_filter :allow_cross_domain_access
10 10  
  11 + after_filter :set_csrf_cookie
  12 +
  13 + def set_csrf_cookie
  14 + cookies['_noosfero_.XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery? && logged_in?
  15 + end
  16 +
11 17 def allow_cross_domain_access
12 18 origin = request.headers['Origin']
13 19 return if origin.blank?
... ... @@ -91,6 +97,10 @@ class ApplicationController < ActionController::Base
91 97  
92 98 protected
93 99  
  100 + def verified_request?
  101 + super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
  102 + end
  103 +
94 104 def setup_multitenancy
95 105 Noosfero::MultiTenancy.setup!(request.host)
96 106 end
... ...
app/views/layouts/application-ng.html.erb
  Diff comments   View file @409f4f8
... ... @@ -43,7 +43,6 @@
43 43 DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
44 44 </script>
45 45  
46   - <%= csrf_meta_tag %>
47 46 </head>
48 47 <body class="<%= h body_classes %>">
49 48 <a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a>
... ...
public/javascripts/application.js
  Diff comments   View file @409f4f8
... ... @@ -511,7 +511,7 @@ jQuery(function($) {
511 511 $.ajaxSetup({
512 512 cache: false,
513 513 headers: {
514   - 'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
  514 + 'X-CSRF-Token': $.cookie("_noosfero_.XSRF-TOKEN")
515 515 }
516 516 });
517 517  
... ... @@ -523,6 +523,8 @@ jQuery(function($) {
523 523 if (data.chat_enabled) {
524 524 setInterval(function(){ $.getJSON('/account/user_data', chatOnlineUsersDataCallBack)}, 10000);
525 525 }
  526 + $('head').append('<meta content="authenticity_token" name="csrf-param" />');
  527 + $('head').append('<meta content="'+$.cookie("_noosfero_.XSRF-TOKEN")+'" name="csrf-token" />');
526 528 } else {
527 529 // not logged in
528 530 $('#user .not-logged-in, .login-block .not-logged-user').fadeIn();
... ...