csrfミドルウェアを使用するようにした

[webchat/WebChat.git] / profile.js

diff --git a/profile.js b/profile.js
index 15547b3..d93ed48 100644 (file)
--- a/profile.js
+++ b/profile.js
@@ -31,7 +31,7 @@ function admin_proc(req, res)
                if(err != null)\r
                        RenderMessage(res,err,info);\r
                else{\r
-                       result.token = info.token;\r
+                       result.token = req.session._csrf;\r
                        res.setHeader("X-FRAME-OPTIONS","DENY");\r
                        res.render("profile/admin",result);\r
                }\r
@@ -40,10 +40,6 @@ function admin_proc(req, res)
 \r
 function admin_postproc(req,res)\r
 {\r
-       if(req.session.items.token != req.body.token){\r
-               RenderMessage(res,resource.invaild_parameter,req.session.items);\r
-               return;\r
-       }\r
        async.waterfall([\r
                function(cb){\r
                        if(typeof(req.body.removeall) != "undefined")\r
@@ -132,17 +128,13 @@ function detail_proc(req, res)
                        RenderMessage(res,resource.notfound_name,req.session.items);\r
                else{\r
                        res.setHeader("X-FRAME-OPTIONS","DENY");\r
-                       res.render("profile/detail",{list:result,token:req.session.items.token,admin:req.session.items.admin});\r
+                       res.render("profile/detail",{list:result,token:req.session._csrf,admin:req.session.items.admin});\r
                }\r
        });\r
 }\r
 \r
 function detail_postproc(req, res)\r
 {\r
-       if(req.session.items.token != req.body.token){\r
-               RenderMessage(res,resource.invaild_parameter,req.session.items);\r
-               return;\r
-       }\r
        if(typeof(req.body.remove) != "undefined"){\r
                async.waterfall([\r
                        function(cb){\r
@@ -184,7 +176,7 @@ function detail_postproc(req, res)
                                RenderMessage(res,err,req.session.items);\r
                        }else if(result != null){\r
                                res.setHeader("X-FRAME-OPTIONS","DENY");\r
-                               res.render("profile/edit",{list:result,token:req.body.token});\r
+                               res.render("profile/edit",{list:result,token:req.session._csrf});\r
                        }else{\r
                                RenderMessage(res,resource.unmatch_password,req.session.items);\r
                        }\r
@@ -196,10 +188,6 @@ function detail_postproc(req, res)
 \r
 function edit_postproc(req, res)\r
 {\r
-       if(req.session.items.token != req.body.token){\r
-               RenderMessage(res,resource.invaild_parameter,req.session.items);\r
-               return;\r
-       }\r
        if(typeof(req.body.name) == "undefined")\r
        {\r
                RenderMessage(res,resource.invaild_parameter,req.session.items);\r
@@ -225,10 +213,6 @@ function edit_postproc(req, res)
 \r
 function registor_postproc(req, res)\r
 {\r
-       if(req.session.items.token != req.body.token){\r
-               RenderMessage(res,resource.invaild_parameter,req.session.items);\r
-               return;\r
-       }\r
        if(typeof(req.body.registor) != "undefined"){\r
                async.waterfall([\r
                        function(cb){\r
@@ -251,13 +235,13 @@ function registor_proc(req, res)
                req.session.items = new security.SessionInfomation(false);\r
 \r
        res.setHeader("X-FRAME-OPTIONS","DENY");\r
-       res.render("profile/registor",{token:req.session.items.token});\r
+       res.render("profile/registor",{token:req.session._csrf});\r
 }\r
 \r
 function RenderMessage(res,msg,info)\r
 {\r
-       if(typeof(info) == "undefined")\r
-               res.render("profile/message",{message:msg});\r
+       if(typeof(info) == "undefined" || typeof(info.admin) == "undefined")\r
+               res.render("profile/message",{message:msg,admin:false});\r
        else\r
                res.render("profile/message",{message:msg,admin:info.admin});\r
 }\r