Use custom csrf cookie name to avoid name conflict

2025-05-12 18:05:05 +00:00 · 2018-08-30 11:40:45 +08:00 · 2018-08-30 11:40:45 +08:00 · 0f59f84804
commit 0f59f84804
parent 1faa061321
5 changed files with 7 additions and 4 deletions
--- a/media/js/base.js
+++ b/media/js/base.js
@ -103,7 +103,7 @@ function addConfirmTo(op_ele, popup) {
                $('<form>', {
                    "method": 'POST',
                    "action": $(this).data('url'),
-                    "html": '<input name="csrfmiddlewaretoken" value="' + getCookie('csrftoken') + '" type="hidden">'
+                    "html": '<input name="csrfmiddlewaretoken" value="' + getCookie('sfcsrftoken') + '" type="hidden">'
                }).appendTo(document.body).trigger('submit');
            } else { // default
                location.href = $(this).data('url');
@ -130,7 +130,7 @@ function addFormPost(op_ele) {
        $('<form>', {
            "method": 'POST',
            "action": $(this).data('url'),
-            "html": '<input name="csrfmiddlewaretoken" value="' + getCookie('csrftoken') + '" type="hidden">'
+            "html": '<input name="csrfmiddlewaretoken" value="' + getCookie('sfcsrftoken') + '" type="hidden">'
        }).appendTo(document.body).trigger('submit');
        return false;
    });
@ -223,7 +223,7 @@ function getCookie(name) {
 function prepareCSRFToken(xhr, settings) {
    if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
        // Only send the token to relative URLs i.e. locally.
-        xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
+        xhr.setRequestHeader("X-CSRFToken", getCookie('sfcsrftoken'));
    }
 }

--- a/seahub/base/context_processors.py
+++ b/seahub/base/context_processors.py
@ -108,6 +108,7 @@ def base(request):
        'multi_institution': getattr(dj_settings, 'MULTI_INSTITUTION', False),
        'search_repo_id': search_repo_id,
        'SITE_ROOT': SITE_ROOT,
+        'CSRF_COOKIE_NAME': dj_settings.CSRF_COOKIE_NAME,
        'constance_enabled': dj_settings.CONSTANCE_ENABLED,
        'FILE_SERVER_ROOT': file_server_root,
        'LOGIN_URL': dj_settings.LOGIN_URL,
--- a/seahub/settings.py
+++ b/seahub/settings.py
@ -130,6 +130,7 @@ MIDDLEWARE_CLASSES = (
 SITE_ROOT_URLCONF = 'seahub.urls'
 ROOT_URLCONF = 'seahub.utils.rooturl'
 SITE_ROOT = '/'
+CSRF_COOKIE_NAME = 'sfcsrftoken'

 # Python dotted path to the WSGI application used by Django's runserver.
 WSGI_APPLICATION = 'seahub.wsgi.application'
--- a/seahub/templates/base_for_backbone.html
+++ b/seahub/templates/base_for_backbone.html
@ -120,6 +120,7 @@ var app = {
        mediaUrl: '{{ MEDIA_URL }}',
        siteRoot: '{{ SITE_ROOT }}',
        loginUrl: '{{ LOGIN_URL }}',
+        csrfCookieName: '{{ CSRF_COOKIE_NAME }}',
        fileServerRoot: '{{ FILE_SERVER_ROOT }}'
    }
 };
--- a/static/scripts/common.js
+++ b/static/scripts/common.js
@ -530,7 +530,7 @@ define([
            }
            if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
                // Only send the token to relative URLs i.e. locally.
-                xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
+                xhr.setRequestHeader("X-CSRFToken", getCookie(app.config.csrfCookieName));
            }
        },