fixed all POST routes to use new csrf middleware

11 years ago · a061079995
parent 4f6b3055ff
commit a061079995
10 changed files with 30 additions and 22 deletions
--- a/public/src/forum/admin/categories.js
+++ b/public/src/forum/admin/categories.js
@ -203,7 +203,7 @@ define('forum/admin/categories', ['uploader', 'forum/admin/iconSelect'], functio
 				var inputEl = $(this),
 					cid = inputEl.parents('li[data-cid]').attr('data-cid');

-				uploader.open(RELATIVE_PATH + '/admin/category/uploadpicture', {cid: cid}, 0, function(imageUrlOnServer) {
+				uploader.open(RELATIVE_PATH + '/admin/category/uploadpicture', { cid: cid }, 0, function(imageUrlOnServer) {
 					inputEl.val(imageUrlOnServer);
 					var previewBox = inputEl.parents('li[data-cid]').find('.preview-box');
 					previewBox.css('background', 'url(' + imageUrlOnServer + '?' + new Date().getTime() + ')')
--- a/public/src/modules/composer/uploads.js
+++ b/public/src/modules/composer/uploads.js
@ -235,10 +235,10 @@ define('composer/uploads', ['composer/preview'], function(preview) {
 				textarea.val(current.replace(re, filename + '](' + text + ')'));
 			}

-			$(this).find('#postUploadCsrf').val($('#csrf_token').val());
+			$(this).find('#postUploadCsrf').val($('#csrf').attr('data-csrf'));

 			if (formData) {
-				formData.append('_csrf', $('#csrf_token').val());
+				formData.append('_csrf', $('#csrf').attr('data-csrf'));
 			}

 			uploads.inProgress[post_uuid] = uploads.inProgress[post_uuid] || [];
@ -291,7 +291,7 @@ define('composer/uploads', ['composer/preview'], function(preview) {
 		thumbForm.attr('action', params.route);

 		thumbForm.off('submit').submit(function() {
-			var csrf = $('#csrf_token').val();
+			var csrf = $('#csrf').attr('data-csrf');
 			$(this).find('#thumbUploadCsrf').val(csrf);

 			if(formData) {
--- a/public/src/modules/uploader.js
+++ b/public/src/modules/uploader.js
@ -19,6 +19,7 @@ define('uploader', function() {
 		uploadForm[0].reset();
 		uploadForm.attr('action', route);
 		uploadForm.find('#params').val(JSON.stringify(params));
+		uploadForm.find('#csrfToken').val($('#csrf').attr('data-csrf'));

 		if(fileSize) {
 			uploadForm.find('#upload-file-size').html(fileSize);
--- a/src/controllers/accounts.js
+++ b/src/controllers/accounts.js
@ -336,6 +336,8 @@ accountsController.accountEdit = function(req, res, next) {
 			return next(err);
 		}

+		userData.csrf = req.csrfToken();
+
 		res.render('account/edit', userData);
 	});
 };
--- a/src/controllers/admin.js
+++ b/src/controllers/admin.js
@ -127,7 +127,10 @@ function filterAndRenderCategories(req, res, next, active) {
 			return active ? !category.disabled : category.disabled;
 		});

-		res.render('admin/categories', {categories: categoryData});
+		res.render('admin/categories', {
+			categories: categoryData,
+			csrf: req.csrfToken()
+		});
 	});
 }

--- a/src/controllers/categories.js
+++ b/src/controllers/categories.js
@ -176,6 +176,7 @@ categoriesController.get = function(req, res, next) {

 		data.currentPage = page;
 		data['feeds:disableRSS'] = meta.config['feeds:disableRSS'] === '1' ? true : false;
+		data.csrf = req.csrfToken();

 		// Paginator for noscript
 		data.pages = [];
--- a/src/controllers/topics.js
+++ b/src/controllers/topics.js
@ -196,6 +196,7 @@ topicsController.get = function(req, res, next) {
 		data['reputation:disabled'] = parseInt(meta.config['reputation:disabled'], 10) === 1;
 		data['downvote:disabled'] = parseInt(meta.config['downvote:disabled'], 10) === 1;
 		data['feeds:disableRSS'] = parseInt(meta.config['feeds:disableRSS'], 10) === 1;
+		data.csrf = req.csrfToken();

 		var topic_url = tid + (req.params.slug ? '/' + req.params.slug : '');
 		var queryString = qs.stringify(req.query);
--- a/src/routes/admin.js
+++ b/src/routes/admin.js
@ -43,11 +43,11 @@ function userRoutes(app, middleware, controllers) {
 }

 function forumRoutes(app, middleware, controllers) {
-	app.get('/admin/categories/active', middleware.admin.buildHeader, controllers.admin.categories.active);
-	app.get('/api/admin/categories/active', controllers.admin.categories.active);
+	app.get('/admin/categories/active', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.categories.active);
+	app.get('/api/admin/categories/active', middleware.requireCSRF, controllers.admin.categories.active);

-	app.get('/admin/categories/disabled', middleware.admin.buildHeader, controllers.admin.categories.disabled);
-	app.get('/api/admin/categories/disabled', controllers.admin.categories.disabled);
+	app.get('/admin/categories/disabled', middleware.requireCSRF, middleware.admin.buildHeader, controllers.admin.categories.disabled);
+	app.get('/api/admin/categories/disabled', middleware.requireCSRF, controllers.admin.categories.disabled);

 	app.get('/admin/tags', middleware.admin.buildHeader, controllers.admin.tags.get);
 	app.get('/api/admin/tags', controllers.admin.tags.get);
--- a/src/routes/api.js
+++ b/src/routes/api.js
@ -203,8 +203,8 @@ module.exports =  function(app, middleware, controllers) {
 	router.get('/categories/:cid/moderators', getModerators);
 	router.get('/recent/posts/:term?', getRecentPosts);

-	router.post('/post/upload', uploadPost);
-	router.post('/topic/thumb/upload', uploadThumb);
-	router.post('/user/:userslug/uploadpicture', middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture);
+	router.post('/post/upload', middleware.requireCSRF, uploadPost);
+	router.post('/topic/thumb/upload', middleware.requireCSRF, uploadThumb);
+	router.post('/user/:userslug/uploadpicture', middleware.requireCSRF, middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.uploadPicture);

 };
--- a/src/routes/index.js
+++ b/src/routes/index.js
@ -54,11 +54,11 @@ function staticRoutes(app, middleware, controllers) {
 function topicRoutes(app, middleware, controllers) {
 	app.get('/api/topic/teaser/:topic_id', controllers.topics.teaser);

-	app.get('/topic/:topic_id/:slug/:post_index?', middleware.buildHeader, middleware.checkPostIndex, controllers.topics.get);
-	app.get('/api/topic/:topic_id/:slug/:post_index?', middleware.checkPostIndex, controllers.topics.get);
+	app.get('/topic/:topic_id/:slug/:post_index?', middleware.requireCSRF, middleware.buildHeader, middleware.checkPostIndex, controllers.topics.get);
+	app.get('/api/topic/:topic_id/:slug/:post_index?', middleware.requireCSRF, middleware.checkPostIndex, controllers.topics.get);

-	app.get('/topic/:topic_id/:slug?', middleware.buildHeader, middleware.addSlug, controllers.topics.get);
-	app.get('/api/topic/:topic_id/:slug?', middleware.addSlug, controllers.topics.get);
+	app.get('/topic/:topic_id/:slug?', middleware.requireCSRF, middleware.buildHeader, middleware.addSlug, controllers.topics.get);
+	app.get('/api/topic/:topic_id/:slug?', middleware.requireCSRF, middleware.addSlug, controllers.topics.get);
 }

 function tagRoutes(app, middleware, controllers) {
@ -82,11 +82,11 @@ function categoryRoutes(app, middleware, controllers) {

 	app.get('/api/unread/total', middleware.authenticate, controllers.categories.unreadTotal);

-	app.get('/category/:category_id/:slug/:topic_index', middleware.buildHeader, middleware.checkTopicIndex, controllers.categories.get);
-	app.get('/api/category/:category_id/:slug/:topic_index', middleware.checkTopicIndex, controllers.categories.get);
+	app.get('/category/:category_id/:slug/:topic_index', middleware.requireCSRF, middleware.buildHeader, middleware.checkTopicIndex, controllers.categories.get);
+	app.get('/api/category/:category_id/:slug/:topic_index', middleware.requireCSRF, middleware.checkTopicIndex, controllers.categories.get);

-	app.get('/category/:category_id/:slug?', middleware.buildHeader, middleware.addSlug, controllers.categories.get);
-	app.get('/api/category/:category_id/:slug?', controllers.categories.get);
+	app.get('/category/:category_id/:slug?', middleware.requireCSRF, middleware.buildHeader, middleware.addSlug, controllers.categories.get);
+	app.get('/api/category/:category_id/:slug?', middleware.requireCSRF, controllers.categories.get);
 }

 function accountRoutes(app, middleware, controllers) {
@ -108,8 +108,8 @@ function accountRoutes(app, middleware, controllers) {
 	app.get('/user/:userslug/topics', middleware.buildHeader, middleware.checkGlobalPrivacySettings, controllers.accounts.getTopics);
 	app.get('/api/user/:userslug/topics', middleware.checkGlobalPrivacySettings, controllers.accounts.getTopics);

-	app.get('/user/:userslug/edit', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
-	app.get('/api/user/:userslug/edit', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
+	app.get('/user/:userslug/edit', middleware.requireCSRF, middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
+	app.get('/api/user/:userslug/edit', middleware.requireCSRF, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);

 	app.get('/user/:userslug/settings', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
 	app.get('/api/user/:userslug/settings', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);