diff --git a/ghost/admin/assets/lib/uploader.js b/ghost/admin/assets/lib/uploader.js index 28ecc9af34..2381271c32 100644 --- a/ghost/admin/assets/lib/uploader.js +++ b/ghost/admin/assets/lib/uploader.js @@ -64,6 +64,9 @@ $dropzone.find('.js-fileupload').fileupload().fileupload("option", { url: '/ghost/upload/', + headers: { + 'X-CSRF-Token': $("meta[name='csrf-param']").attr('content') + }, add: function (e, data) { $dropzone.find('.js-fileupload').removeClass('right'); $dropzone.find('.js-url, button.centre').remove(); diff --git a/ghost/admin/init.js b/ghost/admin/init.js index 77ca1043e9..5f1ab7a825 100644 --- a/ghost/admin/init.js +++ b/ghost/admin/init.js @@ -23,6 +23,16 @@ _.extend(Ghost, Backbone.Events); + Backbone.oldsync = Backbone.sync; + // override original sync method to make header request contain csrf token + Backbone.sync = function (method, model, options, error) { + options.beforeSend = function (xhr) { + xhr.setRequestHeader('X-CSRF-Token', $("meta[name='csrf-param']").attr('content')); + }; + /* call the old sync method */ + return Backbone.oldsync(method, model, options, error); + }; + Ghost.init = function () { Ghost.router = new Ghost.Router(); diff --git a/ghost/admin/views/base.js b/ghost/admin/views/base.js index f530000d59..56f9a70a4d 100644 --- a/ghost/admin/views/base.js +++ b/ghost/admin/views/base.js @@ -202,6 +202,9 @@ if (self.className.indexOf('notification-persistent') !== -1) { $.ajax({ type: "DELETE", + headers: { + 'X-CSRF-Token': $("meta[name='csrf-param']").attr('content') + }, url: '/api/v0.1/notifications/' + $(self).find('.close').data('id') }).done(function (result) { bbSelf.$el.slideUp(250, function () { @@ -231,6 +234,9 @@ bbSelf = this; $.ajax({ type: "DELETE", + headers: { + 'X-CSRF-Token': $("meta[name='csrf-param']").attr('content') + }, url: '/api/v0.1/notifications/' + $(self).data('id') }).done(function (result) { var height = bbSelf.$('.js-notification').outerHeight(true), diff --git a/ghost/admin/views/login.js b/ghost/admin/views/login.js index 9cbdbce012..e16a5531db 100644 --- a/ghost/admin/views/login.js +++ b/ghost/admin/views/login.js @@ -33,6 +33,9 @@ $.ajax({ url: '/ghost/signin/', type: 'POST', + headers: { + 'X-CSRF-Token': $("meta[name='csrf-param']").attr('content') + }, data: { email: email, password: password, @@ -87,6 +90,9 @@ $.ajax({ url: '/ghost/signup/', type: 'POST', + headers: { + 'X-CSRF-Token': $("meta[name='csrf-param']").attr('content') + }, data: { name: name, email: email, @@ -136,6 +142,9 @@ $.ajax({ url: '/ghost/forgotten/', type: 'POST', + headers: { + 'X-CSRF-Token': $("meta[name='csrf-param']").attr('content') + }, data: { email: email }, diff --git a/ghost/admin/views/settings.js b/ghost/admin/views/settings.js index 3608adfa87..5d48b1340b 100644 --- a/ghost/admin/views/settings.js +++ b/ghost/admin/views/settings.js @@ -351,6 +351,9 @@ $.ajax({ url: '/ghost/changepw/', type: 'POST', + headers: { + 'X-CSRF-Token': $("meta[name='csrf-param']").attr('content') + }, data: { password: oldPassword, newpassword: newPassword,