rails3: fix ajax requests with csrf protection

Victor Costa
1 parent 43751b88
Showing 3 changed files with 10 additions and 2 deletions Show diff stats
app/helpers/application_helper.rb
app/views/layouts/application-ng.html.erb
public/javascripts/application.js
@@ -589,7 +589,7 @@ module ApplicationHelper
     extra_info = extra_info.nil? ? '' : content_tag( 'span', extra_info, :class => 'extra_info' )
     links = links_for_balloon(profile)
     content_tag('div', content_tag(tag,
-                                   (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ? link_to( content_tag( 'span', _('Profile links')), '#', :onclick => "toggleSubmenu(this, '#{profile.short_name}', #{links.to_json}); return false", :class => "menu-submenu-trigger #{trigger_class}", :url => url) : "") +
+                                   (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ? link_to( content_tag( 'span', _('Profile links')), '#', :onclick => "toggleSubmenu(this, '#{profile.short_name}', #{j(links.to_json)}); return false", :class => "menu-submenu-trigger #{trigger_class}", :url => url) : "") +
     link_to(
       content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
       content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
@@ -21,6 +21,8 @@
     <script type='text/javascript'>
       DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
     </script>
+
+    <%= csrf_meta_tag %>
   </head>
   <body class="<%= body_classes %>">
     <a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a>
@@ -508,7 +508,13 @@ function new_qualifier_row(selector, select_qualifiers, delete_button) {
  
 // controls the display of the login/logout stuff
 jQuery(function($) {
-  $.ajaxSetup({cache: false});
+  $.ajaxSetup({
+    cache: false,
+    headers: {
+      'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
+    }
+  });
+
   $.getJSON('/account/user_data', function userDataCallBack(data) {
     if (data.login) {
       // logged in
...	...	@@ -589,7 +589,7 @@ module ApplicationHelper
589	589	extra_info = extra_info.nil? ? '' : content_tag( 'span', extra_info, :class => 'extra_info' )
590	590	links = links_for_balloon(profile)
591	591	content_tag('div', content_tag(tag,
592		- (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ? link_to( content_tag( 'span', _('Profile links')), '#', :onclick => "toggleSubmenu(this, '#{profile.short_name}', #{links.to_json}); return false", :class => "menu-submenu-trigger #{trigger_class}", :url => url) : "") +
	592	+ (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ? link_to( content_tag( 'span', _('Profile links')), '#', :onclick => "toggleSubmenu(this, '#{profile.short_name}', #{j(links.to_json)}); return false", :class => "menu-submenu-trigger #{trigger_class}", :url => url) : "") +
593	593	link_to(
594	594	content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
595	595	content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
...	...
...	...	@@ -21,6 +21,8 @@
21	21	<script type='text/javascript'>
22	22	DEFAULT_LOADING_MESSAGE = <%="'#{ _('loading...') }'" %>;
23	23	</script>
	24	+
	25	+ <%= csrf_meta_tag %>
24	26	</head>
25	27	<body class="<%= body_classes %>">
26	28	<a href="#content" id="link-go-content"><span><%= _("Go to the content") %></span></a>
...	...
...	...	@@ -508,7 +508,13 @@ function new_qualifier_row(selector, select_qualifiers, delete_button) {
508	508
509	509	// controls the display of the login/logout stuff
510	510	jQuery(function($) {
511		- $.ajaxSetup({cache: false});
	511	+ $.ajaxSetup({
	512	+ cache: false,
	513	+ headers: {
	514	+ 'X-CSRF-Token': $('meta[name="csrf-token"]').attr('content')
	515	+ }
	516	+ });
	517	+
512	518	$.getJSON('/account/user_data', function userDataCallBack(data) {
513	519	if (data.login) {
514	520	// logged in
...	...