diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2017-09-23 14:21:40 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2017-09-23 14:21:40 +0200 |
| commit | 0578abf310314c81c97c98b647c186459486801f (patch) | |
| tree | 44597338f6b38f6c72cfd5649d43342e54dc5afb | |
| parent | bc109cff50833fc378832def77fb1e4a5b343bff (diff) | |
| parent | ca7d1fdddeb5faf48014e93fac50619fa22a893d (diff) | |
Merge pull request #1640 from Alkarex/fix_global_view_csrf
Fix global view CSRF
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | p/scripts/category.js | 2 | ||||
| -rw-r--r-- | p/scripts/global_view.js | 3 | ||||
| -rw-r--r-- | p/scripts/main.js | 10 |
4 files changed, 10 insertions, 6 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index de4645622..d1af4ac36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ * Fix API compatibility bug between PostgreSQL and EasyRSS [#1603](https://github.com/FreshRSS/FreshRSS/pull/1603) * Fix PostgreSQL error when adding entries with duplicated GUID [#1610](https://github.com/FreshRSS/FreshRSS/issues/1610) * Fix for RSS feeds containing HTML in author field [#1590](https://github.com/FreshRSS/FreshRSS/issues/1590) + * Fix logout issue in global view due to CSRF [#1591](https://github.com/FreshRSS/FreshRSS/issues/1591) * Misc. * Travis continuous integration [#1619](https://github.com/FreshRSS/FreshRSS/pull/1619) * Allow longer database usernames [#1597](https://github.com/FreshRSS/FreshRSS/issues/1597) diff --git a/p/scripts/category.js b/p/scripts/category.js index fbcd83a01..caa4fa22f 100644 --- a/p/scripts/category.js +++ b/p/scripts/category.js @@ -92,7 +92,7 @@ function init_draggable() { $.ajax({ type: 'POST', url: './?c=feed&a=move', - data : { + data: { f_id: dragFeedId, c_id: e.target.parentNode.getAttribute('data-cat-id'), _csrf: context.csrf, diff --git a/p/scripts/global_view.js b/p/scripts/global_view.js index de0b9cb9f..c5aaa48b1 100644 --- a/p/scripts/global_view.js +++ b/p/scripts/global_view.js @@ -33,6 +33,9 @@ function load_panel(link) { $.ajax({ type: "POST", url: $(this).attr("formaction"), + data: { + _csrf: context.csrf, + }, async: false }); window.location.reload(false); diff --git a/p/scripts/main.js b/p/scripts/main.js index 117e8a598..aa2f1d58b 100644 --- a/p/scripts/main.js +++ b/p/scripts/main.js @@ -133,7 +133,7 @@ function mark_read(active, only_not_read) { $.ajax({ type: 'POST', url: url, - data : { + data: { ajax: true, _csrf: context.csrf, }, @@ -182,7 +182,7 @@ function mark_favorite(active) { $.ajax({ type: 'POST', url: url, - data : { + data: { ajax: true, _csrf: context.csrf, }, @@ -823,7 +823,7 @@ function updateFeed(feeds, feeds_count) { $.ajax({ type: 'POST', url: feed.url, - data : { + data: { _csrf: context.csrf, noCommit: feeds.length > 0 ? 1 : 0, }, @@ -860,7 +860,7 @@ function init_actualize() { $.ajax({ //Empty request to force refresh server database cache type: 'POST', url: './?c=feed&a=actualize&id=-1', - data : { + data: { _csrf: context.csrf, noCommit: 0, }, @@ -1299,7 +1299,7 @@ function init_slider_observers() { $.ajax({ type: 'GET', url: url_slide, - data : { ajax: true } + data: { ajax: true } }).done(function (data) { slider.html(data); closer.addClass('active'); |