diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 92aba61..b4d1767 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -8,6 +8,12 @@ class ApplicationController < ActionController::Base
before_filter :init_noosfero_plugins
before_filter :allow_cross_domain_access
+ after_filter :set_csrf_cookie
+
+ def set_csrf_cookie
+ cookies['_noosfero_.XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery? && logged_in?
+ end
+
def allow_cross_domain_access
origin = request.headers['Origin']
return if origin.blank?
@@ -91,6 +97,10 @@ class ApplicationController < ActionController::Base
protected
+ def verified_request?
+ super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
+ end
+
def setup_multitenancy
Noosfero::MultiTenancy.setup!(request.host)
end
diff --git a/app/views/layouts/application-ng.html.erb b/app/views/layouts/application-ng.html.erb
index cfb72b4..44666c0 100644
--- a/app/views/layouts/application-ng.html.erb
+++ b/app/views/layouts/application-ng.html.erb
@@ -43,7 +43,6 @@
DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
- <%= csrf_meta_tag %>
<%= _("Go to the content") %>
diff --git a/public/javascripts/application.js b/public/javascripts/application.js
index aa30c7b..bd29a86 100644
--- a/public/javascripts/application.js
+++ b/public/javascripts/application.js
@@ -511,7 +511,7 @@ jQuery(function($) {
$.ajaxSetup({
cache: false,
headers: {
- 'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
+ 'X-CSRF-Token': $.cookie("_noosfero_.XSRF-TOKEN")
}
});
@@ -523,6 +523,8 @@ jQuery(function($) {
if (data.chat_enabled) {
setInterval(function(){ $.getJSON('/account/user_data', chatOnlineUsersDataCallBack)}, 10000);
}
+ $('head').append('');
+ $('head').append('');
} else {
// not logged in
$('#user .not-logged-in, .login-block .not-logged-user').fadeIn();
--
libgit2 0.21.2