Merge pull request #2820 from jgable/fix403

Fix 403 errors after signup
TryGhost · May 29, 2014 · d3c1bdb · d3c1bdb
2 parents fdf5e9d + dc58d69
commit d3c1bdb
Showing 1 changed file with 23 additions and 11 deletions.
diff --git a/core/server/controllers/admin.js b/core/server/controllers/admin.js
@@ -222,8 +222,13 @@ adminControllers = {
         if (!denied) {
             loginSecurity.push({ip: remoteAddress, time: currentTime});
             api.users.check({email: req.body.email, pw: req.body.password}).then(function (user) {
+                // Carry over the csrf secret
+                var existingSecret = req.session._csrfSecret;
+
                 req.session.regenerate(function (err) {
                     if (!err) {
+                        req.session._csrfSecret = existingSecret;
+
                         req.session.user = user.id;
                         req.session.userData = user.attributes;
 
@@ -260,7 +265,7 @@ adminControllers = {
     // Route: doSignup
     // Path: /ghost/signup/
     // Method: POST
-    'doSignup': function (req, res) {
+    'doSignup': function (req, res, next) {
         var name = req.body.name,
             email = req.body.email,
             password = req.body.password,
@@ -291,7 +296,8 @@ adminControllers = {
                             message: message,
                             options: {}
                         }]
-                    };
+                    },
+                    existingSecret;
 
                 api.mail.send(payload).otherwise(function (error) {
                     errors.logError(
@@ -301,18 +307,24 @@ adminControllers = {
                     );
                 });
 
+                // Carry over the csrf secret
+                existingSecret = req.session._csrfSecret;
                 req.session.regenerate(function (err) {
-                    if (!err) {
-                        if (req.session.user === undefined) {
-                            req.session.user = user.id;
-                            req.session.userData = user;
-                        }
+                    if (err) {
+                        return next(err);
+                    }
 
-                        res.json(200, {
-                            redirect: config().paths.subdir + '/ghost/',
-                            userData: req.session.userData
-                        });
+                    req.session._csrfSecret = existingSecret;
+
+                    if (req.session.user === undefined) {
+                        req.session.user = user.id;
+                        req.session.userData = user;
                     }
+
+                    res.json(200, {
+                        redirect: config().paths.subdir + '/ghost/',
+                        userData: req.session.userData
+                    });
                 });
             });
         }).otherwise(function (error) {