mirror of
https://github.com/Poniverse/Pony.fm.git
synced 2024-11-25 06:27:59 +01:00
Fixes #10: Use the X-XSRF-TOKEN header globally for AJAX CSRF protection.
This commit is contained in:
parent
6f62b61915
commit
8bfddc7037
15 changed files with 46 additions and 23 deletions
|
@ -101,11 +101,13 @@ class Assets
|
|||
if ($area == 'embed') {
|
||||
return [
|
||||
"scripts/base/jquery-2.0.2.js",
|
||||
"scripts/base/jquery.cookie.js",
|
||||
"scripts/base/jquery.viewport.js",
|
||||
"scripts/base/underscore.js",
|
||||
"scripts/base/moment.js",
|
||||
"scripts/base/jquery.timeago.js",
|
||||
"scripts/base/soundmanager2-nodebug.js",
|
||||
"scripts/shared/jquery-extensions.js",
|
||||
"scripts/embed/*.coffee"
|
||||
];
|
||||
}
|
||||
|
|
|
@ -106,11 +106,13 @@ gulp.task("scripts-embed", function () {
|
|||
|
||||
var includedScripts = [
|
||||
"resources/assets/scripts/base/jquery-2.0.2.js",
|
||||
"resources/assets/scripts/base/jquery.cookie.js",
|
||||
"resources/assets/scripts/base/jquery.viewport.js",
|
||||
"resources/assets/scripts/base/underscore.js",
|
||||
"resources/assets/scripts/base/moment.js",
|
||||
"resources/assets/scripts/base/jquery.timeago.js",
|
||||
"resources/assets/scripts/base/soundmanager2-nodebug.js",
|
||||
"resources/assets/scripts/shared/jquery-extensions.js",
|
||||
"resources/assets/scripts/embed/*.coffee"
|
||||
];
|
||||
|
||||
|
|
|
@ -108,7 +108,7 @@ angular.module('ponyfm').controller "account-albums-edit", [
|
|||
formData.append 'track_ids', _.map($scope.tracks, (t) -> t.id).join()
|
||||
|
||||
xhr.open 'POST', url, true
|
||||
xhr.setRequestHeader 'X-CSRF-Token', pfm.token
|
||||
xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
|
||||
$scope.isSaving = true
|
||||
xhr.send formData
|
||||
|
||||
|
@ -117,7 +117,7 @@ angular.module('ponyfm').controller "account-albums-edit", [
|
|||
{result: 'ok', label: 'Yes', cssClass: 'btn-danger'}, {result: 'cancel', label: 'No', cssClass: 'btn-primary'}
|
||||
]).open().then (res) ->
|
||||
return if res == 'cancel'
|
||||
$.post('/api/web/albums/delete/' + $scope.album.id, {_token: window.pfm.token})
|
||||
$.post('/api/web/albums/delete/' + $scope.album.id)
|
||||
.then -> $scope.$apply ->
|
||||
$scope.$emit 'album-deleted'
|
||||
$state.transitionTo 'account.albums'
|
||||
|
|
|
@ -67,7 +67,7 @@ angular.module('ponyfm').controller "account-settings", [
|
|||
formData.append name, value
|
||||
|
||||
xhr.open 'POST', '/api/web/account/settings/save', true
|
||||
xhr.setRequestHeader 'X-CSRF-Token', pfm.token
|
||||
xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
|
||||
$scope.isSaving = true
|
||||
xhr.send formData
|
||||
|
||||
|
|
|
@ -116,7 +116,7 @@ angular.module('ponyfm').controller "account-track", [
|
|||
formData.append 'show_song_ids', _.map(_.values($scope.selectedSongs), (s) -> s.id).join()
|
||||
|
||||
xhr.open 'POST', '/api/web/tracks/edit/' + $scope.edit.id, true
|
||||
xhr.setRequestHeader 'X-CSRF-Token', pfm.token
|
||||
xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
|
||||
$scope.isSaving = true
|
||||
xhr.send formData
|
||||
|
||||
|
@ -151,7 +151,7 @@ angular.module('ponyfm').controller "account-track", [
|
|||
{result: 'ok', label: 'Yes', cssClass: 'btn-danger'}, {result: 'cancel', label: 'No', cssClass: 'btn-primary'}
|
||||
]).open().then (res) ->
|
||||
return if res == 'cancel'
|
||||
$.post('/api/web/tracks/delete/' + track.id, {_token: window.pfm.token})
|
||||
$.post('/api/web/tracks/delete/' + track.id)
|
||||
.then -> $scope.$apply ->
|
||||
$scope.$emit 'track-deleted'
|
||||
$state.transitionTo 'account.tracks'
|
||||
|
|
|
@ -20,7 +20,7 @@ angular.module('ponyfm').factory('auth', [
|
|||
data: {isLogged: window.pfm.auth.isLogged, user: window.pfm.auth.user}
|
||||
login: (email, password, remember) ->
|
||||
def = new $.Deferred()
|
||||
$.post('/api/web/auth/login', {email: email, password: password, remember: remember, _token: pfm.token})
|
||||
$.post('/api/web/auth/login', {email: email, password: password, remember: remember})
|
||||
.done ->
|
||||
$rootScope.$apply -> def.resolve()
|
||||
|
||||
|
@ -29,6 +29,5 @@ angular.module('ponyfm').factory('auth', [
|
|||
|
||||
def.promise()
|
||||
|
||||
logout: -> $.post('/api/web/auth/logout', {_token: pfm.token})
|
||||
logout: -> $.post('/api/web/auth/logout')
|
||||
])
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ angular.module('ponyfm').factory('comments', [
|
|||
|
||||
addComment: (resourceType, resourceId, content) ->
|
||||
commentDef = new $.Deferred()
|
||||
$http.post('/api/web/comments/' + resourceType + '/' + resourceId, {content: content, _token: pfm.token}).success (comment) ->
|
||||
$http.post('/api/web/comments/' + resourceType + '/' + resourceId, {content: content}).success (comment) ->
|
||||
commentDef.resolve comment
|
||||
|
||||
commentDef.promise()
|
||||
|
|
|
@ -24,7 +24,7 @@ angular.module('ponyfm').factory('favourites', [
|
|||
self =
|
||||
toggle: (type, id) ->
|
||||
def = new $.Deferred()
|
||||
$http.post('/api/web/favourites/toggle', {type: type, id: id, _token: pfm.token}).success (res) ->
|
||||
$http.post('/api/web/favourites/toggle', {type: type, id: id}).success (res) ->
|
||||
def.resolve res
|
||||
|
||||
def.promise()
|
||||
|
|
|
@ -20,7 +20,7 @@ angular.module('ponyfm').factory('follow', [
|
|||
self =
|
||||
toggle: (type, id) ->
|
||||
def = new $.Deferred()
|
||||
$http.post('/api/web/follow/toggle', {type: type, id: id, _token: pfm.token}).success (res) ->
|
||||
$http.post('/api/web/follow/toggle', {type: type, id: id}).success (res) ->
|
||||
def.resolve res
|
||||
|
||||
def.promise()
|
||||
|
|
|
@ -63,7 +63,7 @@ angular.module('ponyfm').factory('playlists', [
|
|||
|
||||
addTrackToPlaylist: (playlistId, trackId) ->
|
||||
def = new $.Deferred()
|
||||
$http.post('/api/web/playlists/' + playlistId + '/add-track', {track_id: trackId, _token: pfm.token}).success (res) ->
|
||||
$http.post('/api/web/playlists/' + playlistId + '/add-track', {track_id: trackId}).success (res) ->
|
||||
def.resolve(res)
|
||||
|
||||
def
|
||||
|
@ -77,7 +77,7 @@ angular.module('ponyfm').factory('playlists', [
|
|||
|
||||
deletePlaylist: (playlist) ->
|
||||
def = new $.Deferred()
|
||||
$.post('/api/web/playlists/delete/' + playlist.id, {_token: window.pfm.token})
|
||||
$.post('/api/web/playlists/delete/' + playlist.id)
|
||||
.then -> $rootScope.$apply ->
|
||||
if _.some(self.pinnedPlaylists, (p) -> p.id == playlist.id)
|
||||
currentIndex = _.indexOf(self.pinnedPlaylists, (t) -> t.id == playlist.id)
|
||||
|
@ -92,7 +92,6 @@ angular.module('ponyfm').factory('playlists', [
|
|||
|
||||
editPlaylist: (playlist) ->
|
||||
def = new $.Deferred()
|
||||
playlist._token = pfm.token
|
||||
$.post('/api/web/playlists/edit/' + playlist.id, playlist)
|
||||
.done (res) ->
|
||||
$rootScope.$apply ->
|
||||
|
@ -125,7 +124,6 @@ angular.module('ponyfm').factory('playlists', [
|
|||
|
||||
createPlaylist: (playlist) ->
|
||||
def = new $.Deferred()
|
||||
playlist._token = pfm.token
|
||||
$.post('/api/web/playlists/create', playlist)
|
||||
.done (res) ->
|
||||
$rootScope.$apply ->
|
||||
|
|
|
@ -62,6 +62,6 @@ angular.module('ponyfm').factory('upload', [
|
|||
formData.append('track', file);
|
||||
|
||||
xhr.open 'POST', '/api/web/tracks/upload', true
|
||||
xhr.setRequestHeader 'X-CSRF-Token', pfm.token
|
||||
xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
|
||||
xhr.send formData
|
||||
])
|
||||
|
|
|
@ -21,7 +21,7 @@ trackId = $player.data 'track-id'
|
|||
$favourite.click (e) ->
|
||||
e.preventDefault()
|
||||
|
||||
$.post('/api/web/favourites/toggle', {type: 'track', id: trackId, _token: pfm.token}).done (res) ->
|
||||
$.post('/api/web/favourites/toggle', {type: 'track', id: trackId}).done (res) ->
|
||||
if res.is_favourited
|
||||
$player.addClass 'favourited'
|
||||
else
|
||||
|
|
|
@ -1,3 +1,22 @@
|
|||
/**
|
||||
* Pony.fm - A community for pony fan music.
|
||||
* Copyright (C) 2015 Peter Deltchev
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
|
||||
if (jQuery.when.all===undefined) {
|
||||
jQuery.when.all = function(deferreds) {
|
||||
var deferred = new jQuery.Deferred();
|
||||
|
@ -12,3 +31,11 @@ if (jQuery.when.all===undefined) {
|
|||
return deferred;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Include the CSRF token with all jQuery AJAX requests
|
||||
jQuery.ajaxPrefilter(function(options, originalOptions, jqXHR) {
|
||||
if (!options.crossDomain) {
|
||||
jqXHR.setRequestHeader('X-XSRF-TOKEN', jQuery.cookie('XSRF-TOKEN'))
|
||||
}
|
||||
});
|
||||
|
|
|
@ -128,7 +128,6 @@
|
|||
@section('scripts')
|
||||
<script>
|
||||
window.pfm = {
|
||||
token: "{!! csrf_token() !!}",
|
||||
auth: {
|
||||
@if (Auth::check())
|
||||
isLogged: true,
|
||||
|
|
|
@ -62,10 +62,6 @@
|
|||
</div>
|
||||
@endif
|
||||
|
||||
<script>
|
||||
var pfm = {token: '{{ Session::token() }}'}
|
||||
</script>
|
||||
|
||||
{!! Assets::scriptIncludes('embed') !!}
|
||||
|
||||
@if(config('ponyfm.google_analytics_id'))
|
||||
|
|
Loading…
Reference in a new issue