From 523b787e69a7d6bf69a7db14ad1204b8cd5868f9 Mon Sep 17 00:00:00 2001 From: Baris Usakli Date: Thu, 20 Jun 2013 16:29:44 -0400 Subject: [PATCH] added csrf to ajax calls --- public/src/forum/account.js | 3 ++- public/src/forum/accountedit.js | 4 +++- public/src/forum/following.js | 2 +- public/templates/admin/users.tpl | 6 ++++-- public/templates/header.tpl | 5 ++++- src/routes/authentication.js | 6 +++--- src/routes/user.js | 13 ++++++------- src/webserver.js | 15 ++++++++------- 8 files changed, 31 insertions(+), 23 deletions(-) diff --git a/public/src/forum/account.js b/public/src/forum/account.js index 8a99dc72e0..8619c91594 100644 --- a/public/src/forum/account.js +++ b/public/src/forum/account.js @@ -26,7 +26,8 @@ } followBtn.on('click', function() { - $.post('/users/follow', {uid: theirid}, + + $.post('/users/follow', {uid: theirid, _csrf:$('#csrf_token').val()}, function(data) { followBtn.remove(); $('#user-action-alert').html('You are now following'+ $('.account-username').text() +'!').show(); diff --git a/public/src/forum/accountedit.js b/public/src/forum/accountedit.js index 2978ad5576..817074ea9e 100644 --- a/public/src/forum/accountedit.js +++ b/public/src/forum/accountedit.js @@ -80,7 +80,8 @@ $(document).ready(function() { function changeUserPicture(type) { var userData = { uid: $('#inputUID').val(), - type: type + type: type, + _csrf:$('#csrf_token').val() }; $.post('/users/changepicture', @@ -103,6 +104,7 @@ $(document).ready(function() { birthday:$('#inputBirthday').val(), location:$('#inputLocation').val(), signature:$('#inputSignature').val(), + _csrf:$('#csrf_token').val() }; $.post('/users/doedit', diff --git a/public/src/forum/following.js b/public/src/forum/following.js index 6e44908119..4727696c92 100644 --- a/public/src/forum/following.js +++ b/public/src/forum/following.js @@ -21,7 +21,7 @@ var removeBtn = $(this); var followingUid = $(this).attr('followingUid'); - $.post('/users/unfollow', {uid: followingUid}, + $.post('/users/unfollow', {uid: followingUid, _csrf:$('#csrf_token').val()}, function(data) { removeBtn.parent().remove(); } diff --git a/public/templates/admin/users.tpl b/public/templates/admin/users.tpl index 12ab8bad97..a3cb096735 100644 --- a/public/templates/admin/users.tpl +++ b/public/templates/admin/users.tpl @@ -92,7 +92,8 @@ var uid = parent.attr('data-uid'); var userData = { - uid:uid + uid:uid, + _csrf:$('#csrf_token').val() }; $.post('/admin/makeadmin', @@ -122,7 +123,8 @@ var uid = parent.attr('data-uid'); var userData = { - uid:uid + uid:uid, + _csrf:$('#csrf_token').val() }; $.post('/admin/removeadmin', diff --git a/public/templates/header.tpl b/public/templates/header.tpl index 2cc230690c..10dd6dab26 100644 --- a/public/templates/header.tpl +++ b/public/templates/header.tpl @@ -98,4 +98,7 @@
-
\ No newline at end of file + + +
+ diff --git a/src/routes/authentication.js b/src/routes/authentication.js index c08468b77d..96fcbef865 100644 --- a/src/routes/authentication.js +++ b/src/routes/authentication.js @@ -86,7 +86,7 @@ console.log('info: [Auth] Session ' + req.sessionID + ' logout (uid: ' + global.uid + ')'); user_module.logout(req.sessionID, function(logout) { req.logout(); - res.send(app.build_header() + templates['logout'] + templates['footer']); + res.send(app.build_header(res) + templates['logout'] + templates['footer']); }); }); @@ -120,11 +120,11 @@ app.get('/reset/:code', function(req, res) { - res.send(app.build_header() + templates['reset_code'].parse({ reset_code: req.params.code }) + templates['footer']); + res.send(app.build_header(res) + templates['reset_code'].parse({ reset_code: req.params.code }) + templates['footer']); }); app.get('/reset', function(req, res) { - res.send(app.build_header() + templates['reset'] + templates['footer']); + res.send(app.build_header(res) + templates['reset'] + templates['footer']); }); diff --git a/src/routes/user.js b/src/routes/user.js index 2a55ee9b4c..276566e47a 100644 --- a/src/routes/user.js +++ b/src/routes/user.js @@ -23,9 +23,8 @@ var user = require('./../user.js'), }); app.get('/users', function(req, res) { - console.log('derp'); user.getUserList(function(data) { - res.send(app.build_header() + app.create_route("users", "users") + templates['footer']); + res.send(app.build_header(res) + app.create_route("users", "users") + templates['footer']); }); }); @@ -43,7 +42,7 @@ var user = require('./../user.js'), user.getUserData(uid, function(data) { if(data) { - res.send(app.build_header() + app.create_route('users/'+data.username, 'account') + templates['footer']); + res.send(app.build_header(res) + app.create_route('users/'+data.username, 'account') + templates['footer']); } else { res.redirect('/404'); @@ -60,7 +59,7 @@ var user = require('./../user.js'), user.getUserField(req.user.uid, 'username', function(username) { if(req.params.username && username === req.params.username) - res.send(app.build_header() + app.create_route('users/'+req.params.username+'/edit','accountedit') + templates['footer']); + res.send(app.build_header(res) + app.create_route('users/'+req.params.username+'/edit','accountedit') + templates['footer']); else return res.redirect('/404'); }); @@ -223,7 +222,7 @@ var user = require('./../user.js'), if(!req.user) return res.redirect('/403'); - res.send(app.build_header() + app.create_route('users/'+req.params.username+'/following','following') + templates['footer']); + res.send(app.build_header(res) + app.create_route('users/'+req.params.username+'/following','following') + templates['footer']); }); app.get('/users/:username/followers', function(req, res) { @@ -231,11 +230,11 @@ var user = require('./../user.js'), if(!req.user) return res.redirect('/403'); - res.send(app.build_header() + app.create_route('users/'+req.params.username+'/followers','followers') + templates['footer']); + res.send(app.build_header(res) + app.create_route('users/'+req.params.username+'/followers','followers') + templates['footer']); }); function api_method(req, res) { - console.log('derp'); + var callerUID = req.user?req.user.uid : 0; if (!req.params.section && !req.params.username) { diff --git a/src/webserver.js b/src/webserver.js index 80712aeb9f..29a3d71c4b 100644 --- a/src/webserver.js +++ b/src/webserver.js @@ -23,10 +23,11 @@ var express = require('express'), (function(app) { var templates = null; - app.build_header = function() { + app.build_header = function(res) { return templates['header'].parse({ cssSrc: global.config['theme:src'] || '/vendor/bootstrap/css/bootstrap.min.css', - title: global.config['title'] || 'NodeBB' + title: global.config['title'] || 'NodeBB', + csrf:res.locals.csrf_token }); }; @@ -94,7 +95,7 @@ var express = require('express'), return; } - res.send(app.build_header() + app.create_route(route) + templates['footer']); + res.send(app.build_header(res) + app.create_route(route) + templates['footer']); }); }(routes[i])); } @@ -104,7 +105,7 @@ var express = require('express'), app.get('/', function(req, res) { categories.getAllCategories(function(returnData) { res.send( - app.build_header() + + app.build_header(res) + '\n\t' + app.create_route('') + templates['footer'] @@ -132,7 +133,7 @@ var express = require('express'), var topic_url = tid + (req.params.slug ? '/' + req.params.slug : ''); topics.getTopicById(tid, ((req.user) ? req.user.uid : 0), function(topic) { res.send( - app.build_header() + + app.build_header(res) + '\n\t' + '\n\t' + templates['footer'] @@ -160,7 +161,7 @@ var express = require('express'), categories.getCategoryById(cid, 0, function(returnData) { console.log(returnData); res.send( - app.build_header() + + app.build_header(res) + '\n\t' + '\n\t' + templates['footer'] @@ -169,7 +170,7 @@ var express = require('express'), }); app.get('/confirm/:code', function(req, res) { - res.send(app.build_header() + '' + templates['footer']); + res.send(app.build_header(res) + '' + templates['footer']); }); // These functions are called via ajax once the initial page is loaded to populate templates with data