From 2c490773f1739b1fc88dfca09ecdf43e907c89d5 Mon Sep 17 00:00:00 2001 From: Jarek Radosz Date: Fri, 6 Oct 2023 15:26:39 +0200 Subject: [PATCH] FIX: Always use the current session token in uppy (#23812) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …rather than the value at the time when uppy is initialized. Future TODO: extract csrf-fetching logic from ajax helper to Session service. --- .../javascripts/discourse/app/mixins/composer-upload-uppy.js | 4 ++-- app/assets/javascripts/discourse/app/mixins/uppy-upload.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/assets/javascripts/discourse/app/mixins/composer-upload-uppy.js b/app/assets/javascripts/discourse/app/mixins/composer-upload-uppy.js index c8904b9dc5f..62d86433460 100644 --- a/app/assets/javascripts/discourse/app/mixins/composer-upload-uppy.js +++ b/app/assets/javascripts/discourse/app/mixins/composer-upload-uppy.js @@ -544,9 +544,9 @@ export default Mixin.create(ExtendableUploader, UppyS3Multipart, { _useXHRUploads() { this._uppyInstance.use(XHRUpload, { endpoint: getURL(`/uploads.json?client_id=${this.messageBus.clientId}`), - headers: { + headers: () => ({ "X-CSRF-Token": this.session.csrfToken, - }, + }), }); }, diff --git a/app/assets/javascripts/discourse/app/mixins/uppy-upload.js b/app/assets/javascripts/discourse/app/mixins/uppy-upload.js index 7b708d915e3..60369704faf 100644 --- a/app/assets/javascripts/discourse/app/mixins/uppy-upload.js +++ b/app/assets/javascripts/discourse/app/mixins/uppy-upload.js @@ -350,9 +350,9 @@ export default Mixin.create(UppyS3Multipart, ExtendableUploader, { _useXHRUploads() { this._uppyInstance.use(XHRUpload, { endpoint: this._xhrUploadUrl(), - headers: { + headers: () => ({ "X-CSRF-Token": this.session.csrfToken, - }, + }), }); },