From f0d38aa66da02cbf7d593a71c6048b3a1fb7c461 Mon Sep 17 00:00:00 2001 From: Sebastian Gierlinger Date: Fri, 25 Jul 2014 17:14:48 +0200 Subject: [PATCH] Hide Access Token MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit closes #3177 - uses an iFrame to initiate the download to hide the access token The access token is now hidden in the admin logic. If we would like to completely hide the token it is possible to remove the access token and use signed requests instead, but I think the effort isn’t worth the benefit in this case. --- core/client/controllers/debug.js | 21 ++++++++------------- core/client/templates/debug.hbs | 2 +- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/core/client/controllers/debug.js b/core/client/controllers/debug.js index 79119b2cb6..c65511e69a 100644 --- a/core/client/controllers/debug.js +++ b/core/client/controllers/debug.js @@ -1,11 +1,6 @@ var DebugController = Ember.Controller.extend(Ember.Evented, { uploadButtonText: 'Import', - exportPath: function () { - return this.get('ghostPaths.url').api('db') + - '?access_token=' + this.get('session.access_token'); - }.property(), - actions: { onUpload: function (file) { var self = this, @@ -33,15 +28,15 @@ var DebugController = Ember.Controller.extend(Ember.Evented, { }, exportData: function () { - var self = this; + var iframe = $('#iframeDownload'), + downloadURL = this.get('ghostPaths.url').api('db') + + '?access_token=' + this.get('session.access_token'); - ic.ajax.request(this.get('ghostPaths.url').api('db'), { - type: 'GET' - }).then(function () { - self.notifications.showSuccess('Data exported successfully.'); - }).catch(function (response) { - self.notifications.showErrors(response); - }); + if (iframe.length === 0) { + iframe = $('