From 5cec28e29b33fc2ab6c3006b59b06fe103629416 Mon Sep 17 00:00:00 2001 From: Matchu Date: Tue, 7 Aug 2012 17:32:51 -0400 Subject: [PATCH] fix logout bug: stop caching authenticity_token fields Many forms on the site contain a hidden authenticity_token field, unique to each visitory. If a user submits a request with an invalid authenticity_token, Rails assumes that it's a CSRF attempt and logs out the user. So, if we happen to cache those forms with authenticity_token fields, all users who use that form will have the same authenticity_token (valid for only the first user who saw the form, invalid for everyone else), and all requests made through that form will log out the user. Bad news. So, we stopped caching those forms. Yay! --- app/views/outfits/new.html.haml | 56 +++++++++++++++++---------------- app/views/pets/bulk.html.haml | 8 +++-- 2 files changed, 34 insertions(+), 30 deletions(-) diff --git a/app/views/outfits/new.html.haml b/app/views/outfits/new.html.haml index 1c8eece2..d4427cd9 100644 --- a/app/views/outfits/new.html.haml +++ b/app/views/outfits/new.html.haml @@ -28,8 +28,8 @@ = pet_attribute_select 'species', @species %input{:type => "submit", :value => "Go"} -- cache :action_suffix => 'sections_and_description' do - %ul#sections +%ul#sections + - cache :action_suffix => 'your_items_module' do %li#your-items-module = link_to image_tag('your_items.png'), your_items_path %h3 @@ -43,6 +43,7 @@ = text_field_tag 'name', '', :placeholder => raw('find a user…'), :type => 'search' = submit_tag 'search' + - cache :action_suffix => 'infinite_closet_module' do %li %a{:href => items_path} = image_tag 'items.png' @@ -57,21 +58,21 @@ = text_field_tag 'q', '', :placeholder => raw('find an item…'), :type => 'search' = submit_tag 'search' - %li + %li + %a{:href => bulk_pets_path} + = image_tag 'http://images.neopets.com/items/mall_ac_garland_spotlight.gif' + %h3 %a{:href => bulk_pets_path} - = image_tag 'http://images.neopets.com/items/mall_ac_garland_spotlight.gif' - %h3 - %a{:href => bulk_pets_path} - Modeling Hub - %div - %h4 Found something? - %p - Enter a pet's name here and we'll keep a copy of what it's wearing. - Thanks so much! - = form_tag load_pet_path do - = origin_tag root_path - = pet_name_tag :placeholder => raw('model a pet…') - = submit_tag 'submit' + Modeling Hub + %div + %h4 Found something? + %p + Enter a pet's name here and we'll keep a copy of what it's wearing. + Thanks so much! + = form_tag load_pet_path do + = origin_tag root_path + = pet_name_tag :placeholder => raw('model a pet…') + = submit_tag 'submit' #latest-contribution = link_to 'Contributions:', contributions_path, :id => 'recent-contributions-link' @@ -85,17 +86,18 @@ %span#latest-contribution-created-at{:title => @latest_contribution.created_at.to_s} #{time_ago_in_words @latest_contribution.created_at} ago -#whats-new - #blog-preview - %h2 - %div - %a#blog-preview-linkback{:href => 'http://blog.openneo.net/'} OpenNeo Blog - - #newest-items - %h2 New Items - %ul - - @newest_items.each do |item| - = link_to image_tag(item.thumbnail_url), item +- cache :action_suffix => 'whats_new' do + #whats-new + #blog-preview + %h2 + %div + %a#blog-preview-linkback{:href => 'http://blog.openneo.net/'} OpenNeo Blog + + #newest-items + %h2 New Items + %ul + - @newest_items.each do |item| + = link_to image_tag(item.thumbnail_url), item - content_for :javascripts do = include_javascript_libraries :jquery diff --git a/app/views/pets/bulk.html.haml b/app/views/pets/bulk.html.haml index ccffc2f8..966a2ac3 100644 --- a/app/views/pets/bulk.html.haml +++ b/app/views/pets/bulk.html.haml @@ -1,7 +1,7 @@ - title 'Modeling Hub' -- cache do - = form_tag load_pet_path, :id => 'needed-items-form' do += form_tag load_pet_path, :id => 'needed-items-form' do + - cache :action_suffix => 'needed_items_content' do %h3 Looking for ways to contribute? %p @@ -27,7 +27,8 @@ %ul#needed-items-pet-items - = form_tag load_pet_path, :id => 'bulk-pets-form' do += form_tag load_pet_path, :id => 'bulk-pets-form' do + - cache :action_suffix => 'bulk_pets_content' do %h3 Model pets in bulk %p @@ -46,6 +47,7 @@ %button#bulk-pets-form-clear{:type => "button"} Clear %ul +- cache :action_suffix => 'item_template' do %script#item-template{:type => 'text/x-jquery-tmpl'} %li{:class => 'object{{if owned}} owned{{/if}}'} = link_to item_path(':id').sub(':id', '${id}') do