Make sure all forms have the correct authenticity token

A cached page may include forms, which will then have the wrong
authenticity token, so after the page has finished loading we fix
up those tokens using the one from the meta tags which will always
be correct as we never cache the layout.

diff --git a/app/views/layouts/site.html.erb b/app/views/layouts/site.html.erb
index 44329edb5c622e72e9516b86b80d35a260fe6aac..6fc7cb869b039da766b2598e7e10f809da066013 100644 (file)
--- a/app/views/layouts/site.html.erb
+++ b/app/views/layouts/site.html.erb
@@ -63,7 +63,6 @@
     </script>
 
     <div id="left">
-
       <div id="logo">
         <center>
           <h1><%= t 'layouts.project_name.h1' %></h1>
@@ -125,6 +124,17 @@
         </div>
       </center>
     </div>
+
+    <script type="text/javascript">
+    document.observe("dom:loaded", function () {
+      var auth_token = $$("meta[name=csrf-token]")[0].content;
+
+      $$("form input[name=authenticity_token]").each(function (input) {
+        input.value = auth_token;
+      });
+    }
+    </script>
+
     <% if defined?(PIWIK_LOCATION) and defined?(PIWIK_SITE) -%>
     <%= render :partial => "layouts/piwik" %>
     <% end -%>