CSRF token has been added generally on all post request with post met…

…hod. (http, https, and APIs)

nodcms-core/Libraries/Form.php

@@ -129,15 +129,6 @@ function __construct($CI)
 
     function config($inputs, $action = '', $method = 'post', $type = 'ajax', $notes = array())
     {
-        // Add CSRF token on SSL Protocol requests
-        if(SSL_PROTOCOL) {
-            $inputs[] = [
-                'field'=>csrf_token(),
-                'type'=>"hidden",
-                'default'=>csrf_hash(),
-                'rules'=>"",
-            ];
-        }
         $this->data['inputs'] = $inputs;
         $this->data['action'] = $action;
         $this->data['back_url'] = $action;

nodcms-layout/Views/admin/layout.php

@@ -11,6 +11,7 @@
     <?php } ?>
     <title><?php echo $title; ?> <?php echo isset($sub_title)?$sub_title:""; ?></title>
 
+    <?php echo csrf_meta("csrf_meta"); ?>
     <?php echo $this->settings['add_on_header']; ?>
 
     <link href="//fonts.googleapis.com/css?family=Open+Sans:400,300,600,700&subset=all" rel="stylesheet" type="text/css"/>

nodcms-layout/Views/nodcms-clean.php

@@ -11,6 +11,7 @@
     <?php } ?>
     <title><?php echo $title; ?> <?php echo isset($sub_title)?$sub_title:""; ?></title>
 
+    <?php echo csrf_meta("csrf_meta"); ?>
     <?php echo $this->settings['add_on_header']; ?>
 
     <!-- BEGIN GLOBAL MANDATORY STYLES -->

nodcms-layout/Views/nodcms-frontend.php

@@ -13,6 +13,7 @@
     <link rel="shortcut icon" href="<?php echo base_url($settings["fav_icon"]); ?>">
     <?php } ?>
     <title><?php echo $title; ?> <?php echo isset($sub_title)?$sub_title:""; ?></title>
+    <?php echo csrf_meta("csrf_meta"); ?>
     <?php echo $this->settings['add_on_header']; ?>
     <link href="//fonts.googleapis.com/css?family=Open+Sans:400,300,600,700&subset=all" rel="stylesheet" type="text/css"/>
     <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.2.0/css/all.css">

nodcms-layout/Views/nodcms-membership.php

@@ -11,6 +11,7 @@
     <?php } ?>
     <title><?php echo $title; ?> <?php echo isset($sub_title)?$sub_title:""; ?></title>
 
+    <?php echo csrf_meta("csrf_meta"); ?>
     <?php echo $this->settings['add_on_header']; ?>
 
     <!-- BEGIN GLOBAL MANDATORY STYLES -->

nodcms-users/Views/layout.php

@@ -18,6 +18,7 @@
     <meta charset="utf-8"/>
     <title><?php echo $title; ?></title>
 
+    <?php echo csrf_meta("csrf_meta"); ?>
     <?php echo $this->settings['add_on_header']; ?>
 
     <meta http-equiv="X-UA-Compatible" content="IE=edge">

public/assets/nodcms/js/common.js

@@ -16,6 +16,36 @@ function translate(value){
 }
 
 (function ($) {
+
+    // Save the origin jquery ajax
+    let $originAjax = $.ajax;
+
+    // Reset jquery ajax function to add csrf token generally
+    $.ajax = function (url, options) {
+
+        // If url is an object, simulate pre-1.5 signature
+        if ( typeof url === "object" ) {
+            options = url;
+            url = undefined;
+        }
+
+        // Force options to be an object
+        options = options || {};
+
+        if((options.hasOwnProperty('method') && options.method !== null && options.method.toLowerCase() === "post") ||
+            (options.hasOwnProperty('type') && options.type !== null && options.type.toLowerCase() === "post")) {
+            let m = document.getElementById('csrf_meta');
+            if(m !== null) {
+                if(!options.hasOwnProperty('headers'))  options['headers'] = {};
+                if(!options.headers.hasOwnProperty(m.getAttribute('name'))) {
+                    options.headers[m.getAttribute('name')] = m.getAttribute('content');
+                }
+            }
+        }
+
+        return $originAjax(url, options);
+    };
+
     $.dataListSearch = function () {
         var query_string = "?";
         $('.data-list-search-input').each(function () {