0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-27 22:49:56 -05:00

Hide Access Token

closes #3177
- uses an iFrame to initiate the download to hide the access token

The access token is now hidden in the admin logic. If we would like to
completely hide the token it is possible to remove the access token and
use signed requests instead, but I think the effort isn’t worth the
benefit in this case.
This commit is contained in:
Sebastian Gierlinger 2014-07-25 17:14:48 +02:00
parent 6628127297
commit f0d38aa66d
2 changed files with 9 additions and 14 deletions

View file

@ -1,11 +1,6 @@
var DebugController = Ember.Controller.extend(Ember.Evented, { var DebugController = Ember.Controller.extend(Ember.Evented, {
uploadButtonText: 'Import', uploadButtonText: 'Import',
exportPath: function () {
return this.get('ghostPaths.url').api('db') +
'?access_token=' + this.get('session.access_token');
}.property(),
actions: { actions: {
onUpload: function (file) { onUpload: function (file) {
var self = this, var self = this,
@ -33,15 +28,15 @@ var DebugController = Ember.Controller.extend(Ember.Evented, {
}, },
exportData: function () { exportData: function () {
var self = this; var iframe = $('#iframeDownload'),
downloadURL = this.get('ghostPaths.url').api('db') +
'?access_token=' + this.get('session.access_token');
ic.ajax.request(this.get('ghostPaths.url').api('db'), { if (iframe.length === 0) {
type: 'GET' iframe = $('<iframe>', { id: 'iframeDownload' }).hide().appendTo('body');
}).then(function () { }
self.notifications.showSuccess('Data exported successfully.');
}).catch(function (response) { iframe.attr('src', downloadURL);
self.notifications.showErrors(response);
});
}, },
sendTestEmail: function () { sendTestEmail: function () {

View file

@ -19,7 +19,7 @@
<fieldset> <fieldset>
<div class="form-group"> <div class="form-group">
<label>Export</label> <label>Export</label>
<a class="button-save" {{bind-attr href=exportPath}}>Export</a> <a class="button-save" {{action "exportData"}}>Export</a>
<p>Export the blog settings and data.</p> <p>Export the blog settings and data.</p>
</div> </div>
</fieldset> </fieldset>