From 20bb9c7ec84f8461943403f59c34a520eb7e47da Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 14 Oct 2020 14:02:03 -0400
Subject: [PATCH] fix: csrf token only on non-GET routes

---
 public/src/modules/api.js | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/public/src/modules/api.js b/public/src/modules/api.js
index 33cf5d8d8f05..ef3f4f33b59f 100644
--- a/public/src/modules/api.js
+++ b/public/src/modules/api.js
@@ -10,11 +10,7 @@ define('api', () => {
 			baseUrl + options.url;
 
 		function doAjax(cb) {
-			$.ajax(Object.assign({
-				headers: {
-					'x-csrf-token': config.csrf_token,
-				},
-			}, options))
+			$.ajax(options)
 				.done((res) => {
 					cb(null,
 						res.hasOwnProperty('status') && res.hasOwnProperty('response') ?
@@ -57,18 +53,27 @@ define('api', () => {
 		url: route,
 		method: 'post',
 		data: payload,
+		headers: {
+			'x-csrf-token': config.csrf_token,
+		},
 	}, onSuccess);
 
 	api.put = (route, payload, onSuccess) => call({
 		url: route,
 		method: 'put',
 		data: payload,
+		headers: {
+			'x-csrf-token': config.csrf_token,
+		},
 	}, onSuccess);
 
 	api.del = (route, payload, onSuccess) => call({
 		url: route,
 		method: 'delete',
 		data: payload,
+		headers: {
+			'x-csrf-token': config.csrf_token,
+		},
 	}, onSuccess);
 
 	return api;