PonyMirrors/Pony.fm
1
0
Fork 0
mirror of https://github.com/Poniverse/Pony.fm.git synced 2024-11-21 20:48:00 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fixes #10: Use the X-XSRF-TOKEN header globally for AJAX CSRF protection.

Browse source
This commit is contained in:
Peter Deltchev 2015-11-11 13:45:44 -08:00
parent 6f62b61915
commit 8bfddc7037
15 changed files with 46 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/Library/Assets.php
View file

@ -101,11 +101,13 @@ class Assets
if ($area == 'embed') {
return [
"scripts/base/jquery-2.0.2.js",
"scripts/base/jquery.cookie.js",
"scripts/base/jquery.viewport.js",
"scripts/base/underscore.js",
"scripts/base/moment.js",
"scripts/base/jquery.timeago.js",
"scripts/base/soundmanager2-nodebug.js",
"scripts/shared/jquery-extensions.js",
"scripts/embed/*.coffee"
];
}

2
gulpfile.js
View file

@ -106,11 +106,13 @@ gulp.task("scripts-embed", function () {
var includedScripts = [
"resources/assets/scripts/base/jquery-2.0.2.js",
"resources/assets/scripts/base/jquery.cookie.js",
"resources/assets/scripts/base/jquery.viewport.js",
"resources/assets/scripts/base/underscore.js",
"resources/assets/scripts/base/moment.js",
"resources/assets/scripts/base/jquery.timeago.js",
"resources/assets/scripts/base/soundmanager2-nodebug.js",
"resources/assets/scripts/shared/jquery-extensions.js",
"resources/assets/scripts/embed/*.coffee"
];

4
resources/assets/scripts/app/controllers/account-albums-edit.coffee
View file

@ -108,7 +108,7 @@ angular.module('ponyfm').controller "account-albums-edit", [
formData.append 'track_ids', _.map($scope.tracks, (t) -> t.id).join()
xhr.open 'POST', url, true
xhr.setRequestHeader 'X-CSRF-Token', pfm.token
xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
$scope.isSaving = true
xhr.send formData
@ -117,7 +117,7 @@ angular.module('ponyfm').controller "account-albums-edit", [
{result: 'ok', label: 'Yes', cssClass: 'btn-danger'}, {result: 'cancel', label: 'No', cssClass: 'btn-primary'}
]).open().then (res) ->
return if res == 'cancel'
$.post('/api/web/albums/delete/' + $scope.album.id, {_token: window.pfm.token})
$.post('/api/web/albums/delete/' + $scope.album.id)
.then -> $scope.$apply ->
$scope.$emit 'album-deleted'
$state.transitionTo 'account.albums'

2
resources/assets/scripts/app/controllers/account-settings.coffee
View file

@ -67,7 +67,7 @@ angular.module('ponyfm').controller "account-settings", [
formData.append name, value
xhr.open 'POST', '/api/web/account/settings/save', true
xhr.setRequestHeader 'X-CSRF-Token', pfm.token
xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
$scope.isSaving = true
xhr.send formData

4
resources/assets/scripts/app/controllers/account-track.coffee
View file

@ -116,7 +116,7 @@ angular.module('ponyfm').controller "account-track", [
formData.append 'show_song_ids', _.map(_.values($scope.selectedSongs), (s) -> s.id).join()
xhr.open 'POST', '/api/web/tracks/edit/' + $scope.edit.id, true
xhr.setRequestHeader 'X-CSRF-Token', pfm.token
xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
$scope.isSaving = true
xhr.send formData
@ -151,7 +151,7 @@ angular.module('ponyfm').controller "account-track", [
{result: 'ok', label: 'Yes', cssClass: 'btn-danger'}, {result: 'cancel', label: 'No', cssClass: 'btn-primary'}
]).open().then (res) ->
return if res == 'cancel'
$.post('/api/web/tracks/delete/' + track.id, {_token: window.pfm.token})
$.post('/api/web/tracks/delete/' + track.id)
.then -> $scope.$apply ->
$scope.$emit 'track-deleted'
$state.transitionTo 'account.tracks'

5
resources/assets/scripts/app/services/auth.coffee
View file

@ -20,7 +20,7 @@ angular.module('ponyfm').factory('auth', [
data: {isLogged: window.pfm.auth.isLogged, user: window.pfm.auth.user}
login: (email, password, remember) ->
def = new $.Deferred()
$.post('/api/web/auth/login', {email: email, password: password, remember: remember, _token: pfm.token})
$.post('/api/web/auth/login', {email: email, password: password, remember: remember})
.done ->
$rootScope.$apply -> def.resolve()
@ -29,6 +29,5 @@ angular.module('ponyfm').factory('auth', [
def.promise()
logout: -> $.post('/api/web/auth/logout', {_token: pfm.token})
logout: -> $.post('/api/web/auth/logout')
])

2
resources/assets/scripts/app/services/comments.coffee
View file

@ -24,7 +24,7 @@ angular.module('ponyfm').factory('comments', [
addComment: (resourceType, resourceId, content) ->
commentDef = new $.Deferred()
$http.post('/api/web/comments/' + resourceType + '/' + resourceId, {content: content, _token: pfm.token}).success (comment) ->
$http.post('/api/web/comments/' + resourceType + '/' + resourceId, {content: content}).success (comment) ->
commentDef.resolve comment
commentDef.promise()

2
resources/assets/scripts/app/services/favourites.coffee
View file

@ -24,7 +24,7 @@ angular.module('ponyfm').factory('favourites', [
self =
toggle: (type, id) ->
def = new $.Deferred()
$http.post('/api/web/favourites/toggle', {type: type, id: id, _token: pfm.token}).success (res) ->
$http.post('/api/web/favourites/toggle', {type: type, id: id}).success (res) ->
def.resolve res
def.promise()

2
resources/assets/scripts/app/services/follow.coffee
View file

@ -20,7 +20,7 @@ angular.module('ponyfm').factory('follow', [
self =
toggle: (type, id) ->
def = new $.Deferred()
$http.post('/api/web/follow/toggle', {type: type, id: id, _token: pfm.token}).success (res) ->
$http.post('/api/web/follow/toggle', {type: type, id: id}).success (res) ->
def.resolve res
def.promise()

6
resources/assets/scripts/app/services/playlists.coffee
View file

@ -63,7 +63,7 @@ angular.module('ponyfm').factory('playlists', [
addTrackToPlaylist: (playlistId, trackId) ->
def = new $.Deferred()
$http.post('/api/web/playlists/' + playlistId + '/add-track', {track_id: trackId, _token: pfm.token}).success (res) ->
$http.post('/api/web/playlists/' + playlistId + '/add-track', {track_id: trackId}).success (res) ->
def.resolve(res)
def
@ -77,7 +77,7 @@ angular.module('ponyfm').factory('playlists', [
deletePlaylist: (playlist) ->
def = new $.Deferred()
$.post('/api/web/playlists/delete/' + playlist.id, {_token: window.pfm.token})
$.post('/api/web/playlists/delete/' + playlist.id)
.then -> $rootScope.$apply ->
if _.some(self.pinnedPlaylists, (p) -> p.id == playlist.id)
currentIndex = _.indexOf(self.pinnedPlaylists, (t) -> t.id == playlist.id)
@ -92,7 +92,6 @@ angular.module('ponyfm').factory('playlists', [
editPlaylist: (playlist) ->
def = new $.Deferred()
playlist._token = pfm.token
$.post('/api/web/playlists/edit/' + playlist.id, playlist)
.done (res) ->
$rootScope.$apply ->
@ -125,7 +124,6 @@ angular.module('ponyfm').factory('playlists', [
createPlaylist: (playlist) ->
def = new $.Deferred()
playlist._token = pfm.token
$.post('/api/web/playlists/create', playlist)
.done (res) ->
$rootScope.$apply ->

2
resources/assets/scripts/app/services/upload.coffee
View file

@ -62,6 +62,6 @@ angular.module('ponyfm').factory('upload', [
formData.append('track', file);
xhr.open 'POST', '/api/web/tracks/upload', true
xhr.setRequestHeader 'X-CSRF-Token', pfm.token
xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
xhr.send formData
])

2
resources/assets/scripts/embed/favourite.coffee
View file

@ -21,7 +21,7 @@ trackId = $player.data 'track-id'
$favourite.click (e) ->
e.preventDefault()
$.post('/api/web/favourites/toggle', {type: 'track', id: trackId, _token: pfm.token}).done (res) ->
$.post('/api/web/favourites/toggle', {type: 'track', id: trackId}).done (res) ->
if res.is_favourited
$player.addClass 'favourited'
else

29
resources/assets/scripts/shared/jquery-extensions.js vendored
View file

@ -1,3 +1,22 @@
/**
* Pony.fm - A community for pony fan music.
* Copyright (C) 2015 Peter Deltchev
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
if (jQuery.when.all===undefined) {
jQuery.when.all = function(deferreds) {
var deferred = new jQuery.Deferred();
@ -11,4 +30,12 @@ if (jQuery.when.all===undefined) {
return deferred;
}
}
}
// Include the CSRF token with all jQuery AJAX requests
jQuery.ajaxPrefilter(function(options, originalOptions, jqXHR) {
if (!options.crossDomain) {
jqXHR.setRequestHeader('X-XSRF-TOKEN', jQuery.cookie('XSRF-TOKEN'))
}
});

1
resources/views/shared/_app_layout.blade.php
View file

@ -128,7 +128,6 @@
@section('scripts')
<script>
window.pfm = {
token: "{!! csrf_token() !!}",
auth: {
@if (Auth::check())
isLogged: true,

4
resources/views/tracks/embed.blade.php
View file

@ -62,10 +62,6 @@
</div>
@endif
<script>
var pfm = {token: '{{ Session::token() }}'}
</script>
{!! Assets::scriptIncludes('embed') !!}
@if(config('ponyfm.google_analytics_id'))