Merge branch 'makdown-editor' into 'master'

Workaround for crsf token in production for MarkdownInput

See merge request ae/Sith!189
This commit is contained in:
Antoine Bartuccio 2018-12-20 18:36:05 +01:00
commit 0f7f80e9d3
3 changed files with 9 additions and 15 deletions

View File

@ -47,18 +47,9 @@ function display_notif() {
// You can't get the csrf token from the template in a widget // You can't get the csrf token from the template in a widget
// We get it from a cookie as a workaround, see this link // We get it from a cookie as a workaround, see this link
// https://docs.djangoproject.com/en/2.0/ref/csrf/#ajax // https://docs.djangoproject.com/en/2.0/ref/csrf/#ajax
function getCookie(cname) { // Sadly, getting the cookie is not possible with CSRF_COOKIE_HTTPONLY or CSRF_USE_SESSIONS is True
var name = cname + "="; // So, the true workaround is to get the token from the dom
var decodedCookie = decodeURIComponent(document.cookie); // https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true
var ca = decodedCookie.split(';'); function getCSRFToken() {
for(var i = 0; i <ca.length; i++) { return $("[name=csrfmiddlewaretoken]").val();
var c = ca[i];
while (c.charAt(0) == ' ') {
c = c.substring(1);
}
if (c.indexOf(name) == 0) {
return c.substring(name.length, c.length);
}
}
return "";
} }

View File

@ -26,6 +26,9 @@
<body> <body>
<!-- The token is always passed here to be accessible from the dom -->
<!-- See this workaround https://docs.djangoproject.com/en/2.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-is-true -->
{% csrf_token %}
<!-- BEGIN HEADER --> <!-- BEGIN HEADER -->
{% block header %} {% block header %}
{% if not popup %} {% if not popup %}

View File

@ -18,7 +18,7 @@
$.ajax({ $.ajax({
url: "{{ markdown_api_url }}", url: "{{ markdown_api_url }}",
method: "POST", method: "POST",
data: { text: plainText, csrfmiddlewaretoken: getCookie('csrftoken') }, data: { text: plainText, csrfmiddlewaretoken: getCSRFToken() },
}).done(function (msg) { }).done(function (msg) {
preview.innerHTML = msg; preview.innerHTML = msg;
}); });