Verify CSRF token for reads_controller (forem#184)

anonymous-security-public · Apr 6, 2018 · f0b3e65 · f0b3e65
1 parent 02cff62
commit f0b3e65
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/app/assets/javascripts/initializers/initNotifications.js b/app/assets/javascripts/initializers/initNotifications.js
@@ -16,7 +16,11 @@ function markNotificationsAsRead() {
       }
       xmlhttp.onreadystatechange = function () {
       };
+
+      var csrfToken = document.querySelector("meta[name='csrf-token']").content;
+
       xmlhttp.open('Post', '/notifications/reads', true);
+      xmlhttp.setRequestHeader('X-CSRF-Token', csrfToken);
       xmlhttp.send();
     }
   }, 120);

diff --git a/app/controllers/notifications/reads_controller.rb b/app/controllers/notifications/reads_controller.rb
@@ -1,5 +1,4 @@
 class Notifications::ReadsController < ApplicationController
-  skip_before_action :verify_authenticity_token
   skip_before_action :ensure_signup_complete
   def create
     result = ""