added csrf to ajax calls

2025-11-03 04:25:55 +01:00 · 2013-06-20 16:29:44 -04:00
parent a32103efbe
commit 523b787e69
8 changed files with 31 additions and 23 deletions
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -23,10 +23,11 @@ var express = require('express'),
 (function(app) {
 	var templates = null;
 	
-	app.build_header = function() {
+	app.build_header = function(res) {
 		return templates['header'].parse({
 			cssSrc: global.config['theme:src'] || '/vendor/bootstrap/css/bootstrap.min.css',
-			title: global.config['title'] || 'NodeBB'
+			title: global.config['title'] || 'NodeBB',
+			csrf:res.locals.csrf_token
 		});
 	};

@@ -94,7 +95,7 @@ var express = require('express'),
 						return;
 					}
 					
-					res.send(app.build_header() + app.create_route(route) + templates['footer']);
+					res.send(app.build_header(res) + app.create_route(route) + templates['footer']);
 				});
 			}(routes[i]));
 		}
@@ -104,7 +105,7 @@ var express = require('express'),
 	app.get('/', function(req, res) {
 		categories.getAllCategories(function(returnData) {
 			res.send(
-				app.build_header() +
+				app.build_header(res) +
 				'\n\t<noscript>\n' + templates['noscript/header'] + templates['noscript/home'].parse(returnData) + '\n\t</noscript>' +
 				app.create_route('') +
 				templates['footer']
@@ -132,7 +133,7 @@ var express = require('express'),
 		var topic_url = tid + (req.params.slug ? '/' + req.params.slug : '');
 		topics.getTopicById(tid, ((req.user) ? req.user.uid : 0), function(topic) {
 			res.send(
-				app.build_header() +
+				app.build_header(res) +
 				'\n\t<noscript>\n' + templates['noscript/header'] + templates['noscript/topic'].parse(topic) + '\n\t</noscript>' +
 				'\n\t<script>templates.ready(function(){ajaxify.go("topic/' + topic_url + '");});</script>' +
 				templates['footer']
@@ -160,7 +161,7 @@ var express = require('express'),
 		categories.getCategoryById(cid, 0, function(returnData) {
 			console.log(returnData);
 			res.send(
-				app.build_header() +
+				app.build_header(res) +
 				'\n\t<noscript>\n' + templates['noscript/header'] + templates['noscript/category'].parse(returnData) + '\n\t</noscript>' +
 				'\n\t<script>templates.ready(function(){ajaxify.go("category/' + category_url + '");});</script>' +
 				templates['footer']
@@ -169,7 +170,7 @@ var express = require('express'),
 	});

 	app.get('/confirm/:code', function(req, res) {
-		res.send(app.build_header() + '<script>templates.ready(function(){ajaxify.go("confirm/' + req.params.code + '");});</script>' + templates['footer']);
+		res.send(app.build_header(res) + '<script>templates.ready(function(){ajaxify.go("confirm/' + req.params.code + '");});</script>' + templates['footer']);
 	});
 	
 	// These functions are called via ajax once the initial page is loaded to populate templates with data