Permalink
Browse files

Cross-browser secure file downloads. Closes #855.

  • Loading branch information...
1 parent e9f8ff1 commit a727b52ad7dc4f6cbbd3f18928ebbf5368397fbf @onyxfish onyxfish committed Aug 8, 2012
@@ -231,6 +231,8 @@ h3 { font-weight: normal; padding-bottom: 4px; }
#view-dataset #dataset-actions a.disabled { color: #aaa; cursor: default; }
#view-dataset p.disabled { color: #aaa; }
#view-dataset .sample-data { margin-top: 5px; margin-bottom: 10px; }
+#view-dataset .data-uploads .download { font-weight: bold; }
+#view-dataset .related-uploads .download { font-weight: bold; }
#modal-upload-related .progress-bar { display: none; }
#modal-index-types table { width: 100%; }
#modal-index-types table td { padding: 2px 2px 2px 8px; vertical-align: middle;}
@@ -75,3 +75,13 @@ PANDA.utils.escapes_to_entities = function(escaped_text) {
return escaped_text.replace(/%(..)/g,"&#x$1;");
};
+PANDA.utils.csrf_download = function(url) {
+ var iframe = $("<iframe />");
+ var form = $('<form action="' + url + '" method="POST"><input type="hidden" name="csrfmiddlewaretoken" value="' + $.cookie('csrftoken') + '" /></form>');
+
+ $("body").append(iframe);
+ iframe.append(form);
+ form.submit();
+ iframe.remove();
+};
+
@@ -1,5 +1,6 @@
PANDA.views.DatasetView = Backbone.View.extend({
events: {
+ "click .data-uploads .download, .related-uploads .download": "download_upload",
"click .data-uploads .edit, .related-uploads .edit": "edit_upload",
"click .data-uploads .delete, .related-uploads .delete": "delete_upload",
"click #dataset-upload-related": "upload_related",
@@ -92,6 +93,16 @@ PANDA.views.DatasetView = Backbone.View.extend({
this.related_uploader._button = upload_button;
},
+ download_upload: function(e) {
+ /*
+ * Download the original file.
+ */
+ var element = $(e.currentTarget).parent("li");
+ var uri = element.attr("data-uri");
+
+ PANDA.utils.csrf_download(uri + "download/");
+ },
+
edit_upload: function(e) {
/*
* Provide a modal dialog to allow editing upload metadata. Save that data
@@ -5,8 +5,8 @@ PANDA.views.FetchExport = Backbone.View.extend({
reset: function(id) {
this.render();
-
- $("#export-download").attr("src", "/api/1.0/export/" + id + "/download/");
+
+ PANDA.utils.csrf_download("/api/1.0/export/" + id + "/download/");
},
render: function() {
@@ -1,6 +1,4 @@
<div id="export">
<h2>Your export will begin downloading shortly...<h2>
<p><a href="#search/all">&laquo; Return to PANDA</a></p>
-
- <iframe id="export-download" src="" style="display:none;"></iframe>
</div>
@@ -1,6 +1,5 @@
<li data-type="<%= upload_type %>" data-uri="<%= upload.resource_uri %>">
- <strong><a href="/api/1.0/<%= upload_type %>_upload/<%= upload.id %>/download/"><%= upload.title %></a></strong>
- uploaded by <%= PANDA.templates.inline_user(upload.creator) %>
+ <a href="#" onclick="return false;" class="download"><%= upload.title %></a> uploaded by <%= PANDA.templates.inline_user(upload.creator) %>
<a data-original-title="<%= upload.original_filename %><br /><%= PANDA.utils.format_file_size(upload.size) %><br />Uploaded <%= PANDA.templates.inline_timestamp({ d: upload.creation_date }) %>" data-placement="top" href="#" onclick="return false;" rel="tooltip"><i class="icon-info-sign"></i></a>
@@ -79,7 +79,8 @@ def download(self, request, **kwargs):
"""
Download the original file that was uploaded.
"""
- self.method_check(request, allowed=['get'])
+ # Allow POST so csrf token can come through
+ self.method_check(request, allowed=['get', 'post'])
self.is_authenticated(request)
self.throttle_check(request)
View
@@ -42,7 +42,8 @@ def download(self, request, **kwargs):
"""
Download the original file that was uploaded.
"""
- self.method_check(request, allowed=['get'])
+ # Allow POST so csrf token can come through
+ self.method_check(request, allowed=['get', 'post'])
self.is_authenticated(request)
self.throttle_check(request)
@@ -66,7 +66,8 @@ def download(self, request, **kwargs):
"""
Download the original file that was uploaded.
"""
- self.method_check(request, allowed=['get'])
+ # Allow POST so csrf token can come through
+ self.method_check(request, allowed=['get', 'post'])
self.is_authenticated(request)
self.throttle_check(request)

0 comments on commit a727b52

Please sign in to comment.