From 586b3d7fe88066894dd0834caf58dc3c23815899 Mon Sep 17 00:00:00 2001 From: Adam Chainz Date: Thu, 31 Dec 2015 10:16:07 +0000 Subject: [PATCH] Fix CSRF protection to work with non-standard CSRF cookie names Fixes disqus/nexus#19 with an updated version of disqus/nexus#18 with review changes. Thanks @karech and @graingert. Conflicts: HISTORY.rst nexus/templatetags/nexus_helpers.py --- nexus/media/js/nexus.js | 5 +++-- nexus/templates/nexus/base.html | 5 ++++- nexus/templatetags/nexus_helpers.py | 6 ++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/nexus/media/js/nexus.js b/nexus/media/js/nexus.js index e02c289..5c3ac95 100644 --- a/nexus/media/js/nexus.js +++ b/nexus/media/js/nexus.js @@ -34,7 +34,8 @@ jQuery.ajaxSetup({ } if (!safeMethod(settings.type) && sameOrigin(settings.url)) { - xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); + var cookieName = $('#nexus-constants').data('csrfCookieName'); + xhr.setRequestHeader("X-CSRFToken", getCookie(cookieName)); } } -}); \ No newline at end of file +}); diff --git a/nexus/templates/nexus/base.html b/nexus/templates/nexus/base.html index 5a547aa..eec1923 100644 --- a/nexus/templates/nexus/base.html +++ b/nexus/templates/nexus/base.html @@ -25,7 +25,10 @@ - + {% block head %} {% endblock %} diff --git a/nexus/templatetags/nexus_helpers.py b/nexus/templatetags/nexus_helpers.py index 8d65d6e..ce5d806 100644 --- a/nexus/templatetags/nexus_helpers.py +++ b/nexus/templatetags/nexus_helpers.py @@ -1,5 +1,6 @@ from django import template from django.utils.datastructures import SortedDict +from django.conf import settings import nexus from nexus import conf @@ -18,6 +19,11 @@ def nexus_version(): register.simple_tag(nexus_version) +def nexus_csrf_cookie_name(): + return settings.CSRF_COOKIE_NAME +register.simple_tag(nexus_csrf_cookie_name) + + def show_navigation(context): site = context.get('nexus_site', NexusModule.get_global('site')) request = NexusModule.get_request()