Upgrade rails.js, add CSRF token manually in the photo uploader.

app/controllers/photos_controller.rb

@@ -9,7 +9,6 @@ class PhotosController < ApplicationController
 
   respond_to :html, :json
 
-
   def index
     @post_type = :photos
     @person = Person.find_by_id(params[:person_id])
@@ -144,11 +143,7 @@ class PhotosController < ApplicationController
     if photo
       respond_with photo
     else
-      begin
       redirect_to :back
-      rescue
-        redirect_to aspects_path
-      end
     end
   end
 
@@ -193,7 +188,6 @@ class PhotosController < ApplicationController
 
   def photo
     @photo ||= current_user.find_visible_post_by_id(params[:id], :type => 'Photo')
-    @photo
   end
 
   def additional_photos

app/views/layouts/application.html.haml

@@ -28,6 +28,7 @@
     - if rtl?
       = include_stylesheets :rtl, :media => 'all'
 
+    = csrf_meta_tag
     <!--[if IE]>
     = javascript_include_tag "/javascripts/ie.js"
     <![endif]-->
@@ -47,7 +48,6 @@
       = javascript_include_tag 'web-socket-receiver'
       = render 'js/websocket_js'
 
-    = csrf_meta_tag
 
     = yield(:head)
 

public/javascripts/fileuploader-custom.js

@@ -1214,6 +1214,7 @@ qq.extend(qq.UploadHandlerXhr.prototype, {
         xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
         xhr.setRequestHeader("X-File-Name", encodeURIComponent(name));
         xhr.setRequestHeader("Content-Type", "application/octet-stream");
+        xhr.setRequestHeader("X-CSRF-Token", $("meta[name='csrf-token']").attr("content"));
         xhr.send(file);
     },
     _onComplete: function(id, xhr){

public/javascripts/rails.js

@@ -17,139 +17,182 @@ $.fn.clearForm = function() {
   });
 };
 
-
-
-jQuery(function ($) {
-    var csrf_token = $('meta[name=csrf-token]').attr('content'),
-        csrf_param = $('meta[name=csrf-param]').attr('content');
-
-    $.fn.extend({
 /**
-* Triggers a custom event on an element and returns the event result
-* this is used to get around not being able to ensure callbacks are placed
-* at the end of the chain.
+ * Unobtrusive scripting adapter for jQuery
  *
-* TODO: deprecate with jQuery 1.4.2 release, in favor of subscribing to our
-* own events and placing ourselves at the end of the chain.
+ * Requires jQuery 1.4.3 or later.
+ * https://github.com/rails/jquery-ujs
  */
-        triggerAndReturn: function (name, data) {
+
+(function($) {
+  // Make sure that every Ajax request sends the CSRF token
+  function CSRFProtection(fn) {
+    var token = $('meta[name="csrf-token"]').attr('content');
+    if (token) fn(function(xhr) { xhr.setRequestHeader('X-CSRF-Token', token) });
+  }
+  if ($().jquery == '1.5') { // gruesome hack
+    var factory = $.ajaxSettings.xhr;
+    $.ajaxSettings.xhr = function() {
+      var xhr = factory();
+      CSRFProtection(function(setHeader) {
+        var open = xhr.open;
+        xhr.open = function() { open.apply(this, arguments); setHeader(this) };
+      });
+      return xhr;
+    };
+  }
+  else $(document).ajaxSend(function(e, xhr) {
+    CSRFProtection(function(setHeader) { setHeader(xhr) });
+  });
+
+  // Triggers an event on an element and returns the event result
+  function fire(obj, name, data) {
     var event = new $.Event(name);
-            this.trigger(event, data);
-
+    obj.trigger(event, data);
     return event.result !== false;
-        },
+  }
 
-        /**
-* Handles execution of remote calls firing overridable events along the way
-*/
-        callRemote: function () {
-            var el = this,
-                method = el.attr('method') || el.attr('data-method') || 'GET',
-                url = el.attr('action') || el.attr('href'),
-                dataType = el.attr('data-type') || 'script';
+  // Submits "remote" forms and links with ajax
+  function handleRemote(element) {
+    var method, url, data,
+      dataType = element.attr('data-type') || ($.ajaxSettings && $.ajaxSettings.dataType);
 
-            if (url === undefined) {
-              throw "No URL specified for remote call (action or href must be present).";
+    if (element.is('form')) {
+      method = element.attr('method');
+      url = element.attr('action');
+      data = element.serializeArray();
+      // memoized value from clicked submit button
+      var button = element.data('ujs:submit-button');
+      if (button) {
+        data.push(button);
+        element.data('ujs:submit-button', null);
+      }
     } else {
-                if (el.triggerAndReturn('ajax:before')) {
-                    var data = el.is('form') ? el.serializeArray() : [];
+      method = element.attr('data-method');
+      url = element.attr('href');
+      data = null;
+    }
+
     $.ajax({
-                        url: url,
-                        data: data,
-                        dataType: dataType,
-                        type: method.toUpperCase(),
-                        beforeSend: function (xhr) {
-                            el.trigger('ajax:loading', xhr);
+      url: url, type: method || 'GET', data: data, dataType: dataType,
+      // stopping the "ajax:beforeSend" event will cancel the ajax request
+      beforeSend: function(xhr, settings) {
+        if (settings.dataType === undefined) {
+          xhr.setRequestHeader('accept', '*/*;q=0.5, ' + settings.accepts.script);
+        }
+        return fire(element, 'ajax:beforeSend', [xhr, settings]);
       },
       success: function(data, status, xhr) {
-                            el.trigger('ajax:success', [data, status, xhr]);
+        element.trigger('ajax:success', [data, status, xhr]);
       },
-                        complete: function (xhr) {
-                            el.trigger('ajax:complete', xhr);
+      complete: function(xhr, status) {
+        element.trigger('ajax:complete', [xhr, status]);
       },
       error: function(xhr, status, error) {
-                            el.trigger('ajax:failure', [xhr, status, error]);
+        element.trigger('ajax:error', [xhr, status, error]);
       }
     });
   }
 
-                el.trigger('ajax:after');
-            }
-        }
-    });
-
-    /**
-* confirmation handler
-*/
-    $('a[data-confirm],input[data-confirm]').live('click', function(event) {
-        var el = $(this);
-        if (el.triggerAndReturn('confirm')) {
-            if (!confirm(el.attr('data-confirm'))) {
-                event.stopImmediatePropagation();
-                return false;
-            }
-        }
-    });
-
-
-    /**
-* remote handlers
-*/
-    $('form[data-remote]').live('submit', function (e) {
-        $(this).callRemote();
-        e.preventDefault();
-    });
-
-    $('form[data-remote]').live('ajax:success', function (e) {
-        $(this).clearForm();
-        $(this).focusout();
-    });
-
-
-    $('a[data-remote],input[data-remote]').live('click', function (e) {
-        $(this).callRemote();
-        e.preventDefault();
-    });
-
-    $('a[data-method]:not([data-remote])').live('click', function (e) {
-        var link = $(this),
-            href = link.attr('href'),
+  // Handles "data-method" on links such as:
+  // <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
+  function handleMethod(link) {
+    var href = link.attr('href'),
       method = link.attr('data-method'),
+      csrf_token = $('meta[name=csrf-token]').attr('content'),
+      csrf_param = $('meta[name=csrf-param]').attr('content'),
       form = $('<form method="post" action="' + href + '"></form>'),
-            metadata_input = '<input name="_method" value="'+method+'" type="hidden" />';
+      metadata_input = '<input name="_method" value="' + method + '" type="hidden" />',
+      form_params = link.data('form-params');
 
-        if (csrf_param != null && csrf_token != null) {
+    if (csrf_param !== undefined && csrf_token !== undefined) {
       metadata_input += '<input name="' + csrf_param + '" value="' + csrf_token + '" type="hidden" />';
     }
 
-        form.hide()
-            .append(metadata_input)
-            .appendTo('body');
+    // support non-nested JSON encoded params for links
+    if (form_params != undefined) {
+      var params = $.parseJSON(form_params);
+      for (key in params) {
+        form.append($("<input>").attr({"type": "hidden", "name": key, "value": params[key]}));
+      }
+    }
 
-        e.preventDefault();
+    form.hide().append(metadata_input).appendTo('body');
     form.submit();
-    });
+  }
 
-    /**
-* disable-with handlers
-*/
-    var disable_with_input_selector = 'input[data-disable-with]';
-    var disable_with_form_selector = 'form[data-remote]:has(' + disable_with_input_selector + ')';
-
-    $(disable_with_form_selector).live('ajax:before', function () {
-        $(this).find(disable_with_input_selector).each(function () {
+  function disableFormElements(form) {
+    form.find('input[data-disable-with]').each(function() {
       var input = $(this);
-            input.data('enable-with', input.val())
-                 .attr('value', input.attr('data-disable-with'))
+      input.data('ujs:enable-with', input.val())
+        .val(input.attr('data-disable-with'))
         .attr('disabled', 'disabled');
     });
+  }
+
+  function enableFormElements(form) {
+    form.find('input[data-disable-with]').each(function() {
+      var input = $(this);
+      input.val(input.data('ujs:enable-with')).removeAttr('disabled');
+    });
+  }
+
+  function allowAction(element) {
+    var message = element.attr('data-confirm');
+    return !message || (fire(element, 'confirm') && confirm(message));
+  }
+
+  function requiredValuesMissing(form) {
+    var missing = false;
+    form.find('input[name][required]').each(function() {
+      if (!$(this).val()) missing = true;
+    });
+    return missing;
+  }
+
+  $('a[data-confirm], a[data-method], a[data-remote]').live('click.rails', function(e) {
+    var link = $(this);
+    if (!allowAction(link)) return false;
+
+    if (link.attr('data-remote') != undefined) {
+      handleRemote(link);
+      return false;
+    } else if (link.attr('data-method')) {
+      handleMethod(link);
+      return false;
+    }
   });
 
-    $(disable_with_form_selector).live('ajax:complete', function () {
-        $(this).find(disable_with_input_selector).each(function () {
-            var input = $(this);
-            input.removeAttr('disabled')
-                 .val(input.data('enable-with'));
+  $('form').live('submit.rails', function(e) {
+    var form = $(this), remote = form.attr('data-remote') != undefined;
+    if (!allowAction(form)) return false;
+
+    // skip other logic when required values are missing
+    if (requiredValuesMissing(form)) return !remote;
+
+    if (remote) {
+      handleRemote(form);
+      return false;
+    } else {
+      // slight timeout so that the submit button gets properly serialized
+      setTimeout(function(){ disableFormElements(form) }, 13);
+    }
   });
+
+  $('form input[type=submit], form button[type=submit], form button:not([type])').live('click.rails', function() {
+    var button = $(this);
+    if (!allowAction(button)) return false;
+    // register the pressed submit button
+    var name = button.attr('name'), data = name ? {name:name, value:button.val()} : null;
+    button.closest('form').data('ujs:submit-button', data);
   });
+
+  $('form').live('ajax:beforeSend.rails', function(event) {
+    if (this == event.target) disableFormElements($(this));
   });
+
+  $('form').live('ajax:complete.rails', function(event) {
+    if (this == event.target) enableFormElements($(this));
+  });
+})( jQuery );
+

public/javascripts/view.js

@@ -48,6 +48,12 @@ var View = {
     $(this.newRequest.selector)
       .live("submit", this.newRequest.submit);
 
+    /* Clear forms after successful submit */
+    $('form[data-remote]').live('ajax:success', function (e) {
+      $(this).clearForm();
+      $(this).focusout();
+    });
+
     /* Autoexpand textareas */
     var startAutoResize = function() {
       $('textarea')