fixed csrf issues (thanks to krisb78 and Angelo Dini for helping with…

… this)
django-cms · Feb 15, 2011 · d8e011a · d8e011a
1 parent 397c014
commit d8e011a
Show file tree

Hide file tree

Showing 9 changed files with 40 additions and 8 deletions.
diff --git a/cms/admin/placeholderadmin.py b/cms/admin/placeholderadmin.py
@@ -30,6 +30,7 @@ class Media:
         }
         js = [os.path.join(settings.CMS_MEDIA_URL, path) for path in (
             'js/lib/jquery.js',
+            'js/csrf.js',
             'js/lib/jquery.query.js',
             'js/lib/ui.core.js',
             'js/lib/ui.dialog.js',

diff --git a/cms/media/cms/js/change_list.js b/cms/media/cms/js/change_list.js
@@ -93,7 +93,7 @@
 	};
 
 	$(document).ready(function() {
-		patchCsrf($);
+		$.fn.cmsPatchCSRF();
 	    var selected_page = false;
 	    var action = false;
 

diff --git a/cms/media/cms/js/csrf.js b/cms/media/cms/js/csrf.js
@@ -0,0 +1,32 @@
+(function($){
+	$.fn.cmsPatchCSRF = function () {
+		$.ajaxSetup({
+			beforeSend: function(xhr, settings) {
+				function getCookie(name) {
+					var cookieValue = null;
+					if (document.cookie && document.cookie != '') {
+						var cookies = document.cookie.split(';');
+						for (var i = 0; i < cookies.length; i++) {
+							var cookie = $.trim(cookies[i]);
+							// Does this cookie string begin with the name we want?
+							if (cookie.substring(0, name.length + 1) == (name + '=')) {
+								cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+								break;
+							}
+						}
+					}
+					return cookieValue;
+				}
+				var base_doc_url = document.URL.match(/^http[s]{0,1}:\/\/[^\/]+\//)[0];
+				var base_settings_url = settings.url.match(/^http[s]{0,1}:\/\/[^\/]+\//);
+				if (base_settings_url != null) {
+					base_settings_url = base_settings_url[0];
+				}
+				if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url)) || base_doc_url == base_settings_url) {
+					// Only send the token to relative URLs i.e. locally.
+					xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
+				}
+			}
+		});
+	};
+})(jQuery);
diff --git a/cms/media/cms/js/plugin_editor.js b/cms/media/cms/js/plugin_editor.js
@@ -1,7 +1,7 @@
 (function($) {
     $(document).ready(function() {
         // Add Plugin Handler
-    	patchCsrf(jQuery);
+    	$.fn.cmsPatchCSRF();
         $('span.add-plugin').click(function(){
          var select = $(this).parent().children("select[name=plugins]");
             var pluginvalue = select.attr('value');

diff --git a/cms/media/cms/js/toolbar.js b/cms/media/cms/js/toolbar.js
@@ -1,6 +1,6 @@
 /* javascript for the frontend editing toolbar */
 
-jQuery.noConflict();
+//jQuery.noConflict();
 
 function hide_iframe(){
     // needs to be a global function because it gets called 
@@ -12,7 +12,7 @@ function hide_iframe(){
 
 jQuery(document).ready(function($) {
 
-	patchCsrf(jQuery)
+	jQuery.fn.cmsPatchCSRF()
 
     jQuery.fn.swapWith = function(to) {
         return this.each(function() {

diff --git a/cms/templates/admin/cms/page/change_form.html b/cms/templates/admin/cms/page/change_form.html
@@ -4,7 +4,7 @@
 
 {% block extrahead %}
 {{ block.super }}
-{% include "cms/inc/csrf_js.html" %}
+<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/csrf.js"></script>
 <script type="text/javascript" src="{% url admin:jsi18n %}"></script>
 
 {% if not add %}

diff --git a/cms/templates/admin/cms/page/change_list.html b/cms/templates/admin/cms/page/change_list.html
@@ -12,13 +12,13 @@
 
 {% block coltype %}flex{% endblock %}
 {% block extrahead %}
-{% include "cms/inc/csrf_js.html" %}
 <link rel="stylesheet" type="text/css" href="{{ CMS_MEDIA_URL }}css/pages.css"/>
 <link rel="stylesheet" type="text/css" href="{{ CMS_MEDIA_URL }}jstree/tree_component.css" />
 <link rel="stylesheet" type="text/css" href="{{ CMS_MEDIA_URL }}css/jquery.dialog.css" />
 
 {{ block.super }}
 <script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/lib/jquery.js"></script>
+<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/csrf.js"></script>
 <script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/lib/jquery.livequery.js"></script>
 
 <script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/lib/ui.core.js"></script>

diff --git a/cms/templates/admin/cms/page/widgets/plugin_editor.html b/cms/templates/admin/cms/page/widgets/plugin_editor.html
@@ -18,7 +18,6 @@
 		{% endif %}
 	{% endif %}
 </div>
-{% include "cms/inc/csrf_js.html" %}
 <script type="text/javascript">
 jQuery(document).ready(function(){
 var placeholder_element = jQuery('#placeholder-{{ placeholder.pk }}');

diff --git a/cms/templates/cms/toolbar/toolbar.html b/cms/templates/cms/toolbar/toolbar.html
@@ -1,6 +1,6 @@
 {% load i18n adminmedia %}
-{% include "cms/inc/csrf_js.html" %}
 <script type="text/javascript" src="{% admin_media_prefix %}js/jquery.min.js"></script>
+<script type="text/javascript" src="{{ CMS_MEDIA_URL }}js/csrf.js"></script>
 <script type="text/javascript">
     //<![CDATA[
     // When jQuery is sourced, it's going to overwrite whatever might be in the