Download as
Browse Code »

Commit 409f4f8a9edc0a5208e9ebbab0e8c219f539d83e

Authored by Victor Costa
1 parent e72c8f0e
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

rails3: use cookie to store csrf token

Showing 3 changed files with 13 additions and 2 deletions   Show diff stats
app/controllers/application_controller.rb
  Diff comments   View file @409f4f8
@@ -8,6 +8,12 @@ class ApplicationController < ActionController::Base @@ -8,6 +8,12 @@ class ApplicationController < ActionController::Base
8 before_filter :init_noosfero_plugins 8 before_filter :init_noosfero_plugins
9 before_filter :allow_cross_domain_access 9 before_filter :allow_cross_domain_access
10 10
  11 + after_filter :set_csrf_cookie
  12 +
  13 + def set_csrf_cookie
  14 + cookies['_noosfero_.XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery? && logged_in?
  15 + end
  16 +
11 def allow_cross_domain_access 17 def allow_cross_domain_access
12 origin = request.headers['Origin'] 18 origin = request.headers['Origin']
13 return if origin.blank? 19 return if origin.blank?
@@ -91,6 +97,10 @@ class ApplicationController < ActionController::Base @@ -91,6 +97,10 @@ class ApplicationController < ActionController::Base
91 97
92 protected 98 protected
93 99
  100 + def verified_request?
  101 + super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
  102 + end
  103 +
94 def setup_multitenancy 104 def setup_multitenancy
95 Noosfero::MultiTenancy.setup!(request.host) 105 Noosfero::MultiTenancy.setup!(request.host)
96 end 106 end
app/views/layouts/application-ng.html.erb
  Diff comments   View file @409f4f8
@@ -43,7 +43,6 @@ @@ -43,7 +43,6 @@
43 DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>; 43 DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
44 </script> 44 </script>
45 45
46 - <%= csrf_meta_tag %>  
47 </head> 46 </head>
48 <body class="<%= h body_classes %>"> 47 <body class="<%= h body_classes %>">
49 <a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a> 48 <a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a>
public/javascripts/application.js
  Diff comments   View file @409f4f8
@@ -511,7 +511,7 @@ jQuery(function($) { @@ -511,7 +511,7 @@ jQuery(function($) {
511 $.ajaxSetup({ 511 $.ajaxSetup({
512 cache: false, 512 cache: false,
513 headers: { 513 headers: {
514 - 'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content') 514 + 'X-CSRF-Token': $.cookie("_noosfero_.XSRF-TOKEN")
515 } 515 }
516 }); 516 });
517 517
@@ -523,6 +523,8 @@ jQuery(function($) { @@ -523,6 +523,8 @@ jQuery(function($) {
523 if (data.chat_enabled) { 523 if (data.chat_enabled) {
524 setInterval(function(){ $.getJSON('/account/user_data', chatOnlineUsersDataCallBack)}, 10000); 524 setInterval(function(){ $.getJSON('/account/user_data', chatOnlineUsersDataCallBack)}, 10000);
525 } 525 }
  526 + $('head').append('<meta content="authenticity_token" name="csrf-param" />');
  527 + $('head').append('<meta content="'+$.cookie("_noosfero_.XSRF-TOKEN")+'" name="csrf-token" />');
526 } else { 528 } else {
527 // not logged in 529 // not logged in
528 $('#user .not-logged-in, .login-block .not-logged-user').fadeIn(); 530 $('#user .not-logged-in, .login-block .not-logged-user').fadeIn();