1
0
mirror of https://github.com/mattermost/focalboard.git synced 2025-01-26 18:48:15 +02:00

Don't require CSRF token for get files

This commit is contained in:
Chen-I Lim 2021-02-05 10:45:28 -08:00
parent b2a3dafbb2
commit c484eb8c43
2 changed files with 9 additions and 10 deletions

View File

@ -55,6 +55,8 @@ func (a *API) RegisterRoutes(r *mux.Router) {
apiv1.HandleFunc("/login", a.handleLogin).Methods("POST") apiv1.HandleFunc("/login", a.handleLogin).Methods("POST")
apiv1.HandleFunc("/register", a.handleRegister).Methods("POST") apiv1.HandleFunc("/register", a.handleRegister).Methods("POST")
apiv1.HandleFunc("/files", a.sessionRequired(a.handleUploadFile)).Methods("POST")
apiv1.HandleFunc("/blocks/export", a.sessionRequired(a.handleExport)).Methods("GET") apiv1.HandleFunc("/blocks/export", a.sessionRequired(a.handleExport)).Methods("GET")
apiv1.HandleFunc("/blocks/import", a.sessionRequired(a.handleImport)).Methods("POST") apiv1.HandleFunc("/blocks/import", a.sessionRequired(a.handleImport)).Methods("POST")
@ -64,12 +66,9 @@ func (a *API) RegisterRoutes(r *mux.Router) {
apiv1.HandleFunc("/workspace", a.sessionRequired(a.handleGetWorkspace)).Methods("GET") apiv1.HandleFunc("/workspace", a.sessionRequired(a.handleGetWorkspace)).Methods("GET")
apiv1.HandleFunc("/workspace/regenerate_signup_token", a.sessionRequired(a.handlePostWorkspaceRegenerateSignupToken)).Methods("POST") apiv1.HandleFunc("/workspace/regenerate_signup_token", a.sessionRequired(a.handlePostWorkspaceRegenerateSignupToken)).Methods("POST")
// Files API // Get Files API
files := r.PathPrefix("/files/").Subrouter() files := r.PathPrefix("/files/").Subrouter()
files.Use(a.requireCSRFToken)
files.HandleFunc("/", a.sessionRequired(a.handleUploadFile)).Methods("POST")
files.HandleFunc("/{filename}", a.sessionRequired(a.handleServeFile)).Methods("GET") files.HandleFunc("/{filename}", a.sessionRequired(a.handleServeFile)).Methods("GET")
} }

View File

@ -232,14 +232,14 @@ class OctoClient {
formData.append('file', file) formData.append('file', file)
try { try {
const response = await fetch(this.serverUrl + '/api/v1/files', { const headers = this.headers() as Record<string, string>
method: 'POST',
// TIPTIP: Leave out Content-Type here, it will be automatically set by the browser // TIPTIP: Leave out Content-Type here, it will be automatically set by the browser
headers: { delete headers['Content-Type']
Accept: 'application/json',
Authorization: this.token ? 'Bearer ' + this.token : '', const response = await fetch(this.serverUrl + '/api/v1/files', {
}, method: 'POST',
headers,
body: formData, body: formData,
}) })
if (response.status !== 200) { if (response.status !== 200) {