Upgrade rails.js, add CSRF token manually in the photo uploader.
This commit is contained in:
Raphael Sofaer
parent
20de3a5622
commit
caf26a5c64
5 changed files with 166 additions and 122 deletions
|
|
@ -9,7 +9,6 @@ class PhotosController < ApplicationController
|
|||
|
||||
respond_to :html, :json
|
||||
|
||||
|
||||
def index
|
||||
@post_type = :photos
|
||||
@person = Person.find_by_id(params[:person_id])
|
||||
|
|
@ -144,11 +143,7 @@ class PhotosController < ApplicationController
|
|||
if photo
|
||||
respond_with photo
|
||||
else
|
||||
begin
|
||||
redirect_to :back
|
||||
rescue
|
||||
redirect_to aspects_path
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
@ -193,7 +188,6 @@ class PhotosController < ApplicationController
|
|||
|
||||
def photo
|
||||
@photo ||= current_user.find_visible_post_by_id(params[:id], :type => 'Photo')
|
||||
@photo
|
||||
end
|
||||
|
||||
def additional_photos
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@
|
|||
- if rtl?
|
||||
= include_stylesheets :rtl, :media => 'all'
|
||||
|
||||
= csrf_meta_tag
|
||||
<!--[if IE]>
|
||||
= javascript_include_tag "/javascripts/ie.js"
|
||||
<![endif]-->
|
||||
|
|
@ -47,7 +48,6 @@
|
|||
= javascript_include_tag 'web-socket-receiver'
|
||||
= render 'js/websocket_js'
|
||||
|
||||
= csrf_meta_tag
|
||||
|
||||
= yield(:head)
|
||||
|
||||
|
|
|
|||
|
|
@ -1214,6 +1214,7 @@ qq.extend(qq.UploadHandlerXhr.prototype, {
|
|||
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
|
||||
xhr.setRequestHeader("X-File-Name", encodeURIComponent(name));
|
||||
xhr.setRequestHeader("Content-Type", "application/octet-stream");
|
||||
xhr.setRequestHeader("X-CSRF-Token", $("meta[name='csrf-token']").attr("content"));
|
||||
xhr.send(file);
|
||||
},
|
||||
_onComplete: function(id, xhr){
|
||||
|
|
|
|||
|
|
@ -17,139 +17,182 @@ $.fn.clearForm = function() {
|
|||
});
|
||||
};
|
||||
|
||||
/**
|
||||
* Unobtrusive scripting adapter for jQuery
|
||||
*
|
||||
* Requires jQuery 1.4.3 or later.
|
||||
* https://github.com/rails/jquery-ujs
|
||||
*/
|
||||
|
||||
(function($) {
|
||||
// Make sure that every Ajax request sends the CSRF token
|
||||
function CSRFProtection(fn) {
|
||||
var token = $('meta[name="csrf-token"]').attr('content');
|
||||
if (token) fn(function(xhr) { xhr.setRequestHeader('X-CSRF-Token', token) });
|
||||
}
|
||||
if ($().jquery == '1.5') { // gruesome hack
|
||||
var factory = $.ajaxSettings.xhr;
|
||||
$.ajaxSettings.xhr = function() {
|
||||
var xhr = factory();
|
||||
CSRFProtection(function(setHeader) {
|
||||
var open = xhr.open;
|
||||
xhr.open = function() { open.apply(this, arguments); setHeader(this) };
|
||||
});
|
||||
return xhr;
|
||||
};
|
||||
}
|
||||
else $(document).ajaxSend(function(e, xhr) {
|
||||
CSRFProtection(function(setHeader) { setHeader(xhr) });
|
||||
});
|
||||
|
||||
jQuery(function ($) {
|
||||
var csrf_token = $('meta[name=csrf-token]').attr('content'),
|
||||
csrf_param = $('meta[name=csrf-param]').attr('content');
|
||||
|
||||
$.fn.extend({
|
||||
/**
|
||||
* Triggers a custom event on an element and returns the event result
|
||||
* this is used to get around not being able to ensure callbacks are placed
|
||||
* at the end of the chain.
|
||||
*
|
||||
* TODO: deprecate with jQuery 1.4.2 release, in favor of subscribing to our
|
||||
* own events and placing ourselves at the end of the chain.
|
||||
*/
|
||||
triggerAndReturn: function (name, data) {
|
||||
// Triggers an event on an element and returns the event result
|
||||
function fire(obj, name, data) {
|
||||
var event = new $.Event(name);
|
||||
this.trigger(event, data);
|
||||
|
||||
obj.trigger(event, data);
|
||||
return event.result !== false;
|
||||
},
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles execution of remote calls firing overridable events along the way
|
||||
*/
|
||||
callRemote: function () {
|
||||
var el = this,
|
||||
method = el.attr('method') || el.attr('data-method') || 'GET',
|
||||
url = el.attr('action') || el.attr('href'),
|
||||
dataType = el.attr('data-type') || 'script';
|
||||
// Submits "remote" forms and links with ajax
|
||||
function handleRemote(element) {
|
||||
var method, url, data,
|
||||
dataType = element.attr('data-type') || ($.ajaxSettings && $.ajaxSettings.dataType);
|
||||
|
||||
if (url === undefined) {
|
||||
throw "No URL specified for remote call (action or href must be present).";
|
||||
if (element.is('form')) {
|
||||
method = element.attr('method');
|
||||
url = element.attr('action');
|
||||
data = element.serializeArray();
|
||||
// memoized value from clicked submit button
|
||||
var button = element.data('ujs:submit-button');
|
||||
if (button) {
|
||||
data.push(button);
|
||||
element.data('ujs:submit-button', null);
|
||||
}
|
||||
} else {
|
||||
if (el.triggerAndReturn('ajax:before')) {
|
||||
var data = el.is('form') ? el.serializeArray() : [];
|
||||
method = element.attr('data-method');
|
||||
url = element.attr('href');
|
||||
data = null;
|
||||
}
|
||||
|
||||
$.ajax({
|
||||
url: url,
|
||||
data: data,
|
||||
dataType: dataType,
|
||||
type: method.toUpperCase(),
|
||||
beforeSend: function (xhr) {
|
||||
el.trigger('ajax:loading', xhr);
|
||||
url: url, type: method || 'GET', data: data, dataType: dataType,
|
||||
// stopping the "ajax:beforeSend" event will cancel the ajax request
|
||||
beforeSend: function(xhr, settings) {
|
||||
if (settings.dataType === undefined) {
|
||||
xhr.setRequestHeader('accept', '*/*;q=0.5, ' + settings.accepts.script);
|
||||
}
|
||||
return fire(element, 'ajax:beforeSend', [xhr, settings]);
|
||||
},
|
||||
success: function (data, status, xhr) {
|
||||
el.trigger('ajax:success', [data, status, xhr]);
|
||||
success: function(data, status, xhr) {
|
||||
element.trigger('ajax:success', [data, status, xhr]);
|
||||
},
|
||||
complete: function (xhr) {
|
||||
el.trigger('ajax:complete', xhr);
|
||||
complete: function(xhr, status) {
|
||||
element.trigger('ajax:complete', [xhr, status]);
|
||||
},
|
||||
error: function (xhr, status, error) {
|
||||
el.trigger('ajax:failure', [xhr, status, error]);
|
||||
error: function(xhr, status, error) {
|
||||
element.trigger('ajax:error', [xhr, status, error]);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
el.trigger('ajax:after');
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
/**
|
||||
* confirmation handler
|
||||
*/
|
||||
$('a[data-confirm],input[data-confirm]').live('click', function(event) {
|
||||
var el = $(this);
|
||||
if (el.triggerAndReturn('confirm')) {
|
||||
if (!confirm(el.attr('data-confirm'))) {
|
||||
event.stopImmediatePropagation();
|
||||
return false;
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
/**
|
||||
* remote handlers
|
||||
*/
|
||||
$('form[data-remote]').live('submit', function (e) {
|
||||
$(this).callRemote();
|
||||
e.preventDefault();
|
||||
});
|
||||
|
||||
$('form[data-remote]').live('ajax:success', function (e) {
|
||||
$(this).clearForm();
|
||||
$(this).focusout();
|
||||
});
|
||||
|
||||
|
||||
$('a[data-remote],input[data-remote]').live('click', function (e) {
|
||||
$(this).callRemote();
|
||||
e.preventDefault();
|
||||
});
|
||||
|
||||
$('a[data-method]:not([data-remote])').live('click', function (e) {
|
||||
var link = $(this),
|
||||
href = link.attr('href'),
|
||||
// Handles "data-method" on links such as:
|
||||
// <a href="/users/5" data-method="delete" rel="nofollow" data-confirm="Are you sure?">Delete</a>
|
||||
function handleMethod(link) {
|
||||
var href = link.attr('href'),
|
||||
method = link.attr('data-method'),
|
||||
form = $('<form method="post" action="'+href+'"></form>'),
|
||||
metadata_input = '<input name="_method" value="'+method+'" type="hidden" />';
|
||||
csrf_token = $('meta[name=csrf-token]').attr('content'),
|
||||
csrf_param = $('meta[name=csrf-param]').attr('content'),
|
||||
form = $('<form method="post" action="' + href + '"></form>'),
|
||||
metadata_input = '<input name="_method" value="' + method + '" type="hidden" />',
|
||||
form_params = link.data('form-params');
|
||||
|
||||
if (csrf_param != null && csrf_token != null) {
|
||||
metadata_input += '<input name="'+csrf_param+'" value="'+csrf_token+'" type="hidden" />';
|
||||
if (csrf_param !== undefined && csrf_token !== undefined) {
|
||||
metadata_input += '<input name="' + csrf_param + '" value="' + csrf_token + '" type="hidden" />';
|
||||
}
|
||||
|
||||
form.hide()
|
||||
.append(metadata_input)
|
||||
.appendTo('body');
|
||||
// support non-nested JSON encoded params for links
|
||||
if (form_params != undefined) {
|
||||
var params = $.parseJSON(form_params);
|
||||
for (key in params) {
|
||||
form.append($("<input>").attr({"type": "hidden", "name": key, "value": params[key]}));
|
||||
}
|
||||
}
|
||||
|
||||
e.preventDefault();
|
||||
form.hide().append(metadata_input).appendTo('body');
|
||||
form.submit();
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* disable-with handlers
|
||||
*/
|
||||
var disable_with_input_selector = 'input[data-disable-with]';
|
||||
var disable_with_form_selector = 'form[data-remote]:has(' + disable_with_input_selector + ')';
|
||||
|
||||
$(disable_with_form_selector).live('ajax:before', function () {
|
||||
$(this).find(disable_with_input_selector).each(function () {
|
||||
function disableFormElements(form) {
|
||||
form.find('input[data-disable-with]').each(function() {
|
||||
var input = $(this);
|
||||
input.data('enable-with', input.val())
|
||||
.attr('value', input.attr('data-disable-with'))
|
||||
input.data('ujs:enable-with', input.val())
|
||||
.val(input.attr('data-disable-with'))
|
||||
.attr('disabled', 'disabled');
|
||||
});
|
||||
}
|
||||
|
||||
function enableFormElements(form) {
|
||||
form.find('input[data-disable-with]').each(function() {
|
||||
var input = $(this);
|
||||
input.val(input.data('ujs:enable-with')).removeAttr('disabled');
|
||||
});
|
||||
}
|
||||
|
||||
function allowAction(element) {
|
||||
var message = element.attr('data-confirm');
|
||||
return !message || (fire(element, 'confirm') && confirm(message));
|
||||
}
|
||||
|
||||
function requiredValuesMissing(form) {
|
||||
var missing = false;
|
||||
form.find('input[name][required]').each(function() {
|
||||
if (!$(this).val()) missing = true;
|
||||
});
|
||||
return missing;
|
||||
}
|
||||
|
||||
$('a[data-confirm], a[data-method], a[data-remote]').live('click.rails', function(e) {
|
||||
var link = $(this);
|
||||
if (!allowAction(link)) return false;
|
||||
|
||||
if (link.attr('data-remote') != undefined) {
|
||||
handleRemote(link);
|
||||
return false;
|
||||
} else if (link.attr('data-method')) {
|
||||
handleMethod(link);
|
||||
return false;
|
||||
}
|
||||
});
|
||||
|
||||
$(disable_with_form_selector).live('ajax:complete', function () {
|
||||
$(this).find(disable_with_input_selector).each(function () {
|
||||
var input = $(this);
|
||||
input.removeAttr('disabled')
|
||||
.val(input.data('enable-with'));
|
||||
$('form').live('submit.rails', function(e) {
|
||||
var form = $(this), remote = form.attr('data-remote') != undefined;
|
||||
if (!allowAction(form)) return false;
|
||||
|
||||
// skip other logic when required values are missing
|
||||
if (requiredValuesMissing(form)) return !remote;
|
||||
|
||||
if (remote) {
|
||||
handleRemote(form);
|
||||
return false;
|
||||
} else {
|
||||
// slight timeout so that the submit button gets properly serialized
|
||||
setTimeout(function(){ disableFormElements(form) }, 13);
|
||||
}
|
||||
});
|
||||
|
||||
$('form input[type=submit], form button[type=submit], form button:not([type])').live('click.rails', function() {
|
||||
var button = $(this);
|
||||
if (!allowAction(button)) return false;
|
||||
// register the pressed submit button
|
||||
var name = button.attr('name'), data = name ? {name:name, value:button.val()} : null;
|
||||
button.closest('form').data('ujs:submit-button', data);
|
||||
});
|
||||
});
|
||||
|
||||
$('form').live('ajax:beforeSend.rails', function(event) {
|
||||
if (this == event.target) disableFormElements($(this));
|
||||
});
|
||||
|
||||
$('form').live('ajax:complete.rails', function(event) {
|
||||
if (this == event.target) enableFormElements($(this));
|
||||
});
|
||||
})( jQuery );
|
||||
|
||||
|
|
|
|||
|
|
@ -48,6 +48,12 @@ var View = {
|
|||
$(this.newRequest.selector)
|
||||
.live("submit", this.newRequest.submit);
|
||||
|
||||
/* Clear forms after successful submit */
|
||||
$('form[data-remote]').live('ajax:success', function (e) {
|
||||
$(this).clearForm();
|
||||
$(this).focusout();
|
||||
});
|
||||
|
||||
/* Autoexpand textareas */
|
||||
var startAutoResize = function() {
|
||||
$('textarea')
|
||||
|
|
|
|||
Loading…
Reference in a new issue