From c4394688def1e8802d2cf3bf39c49bf5a1d68157 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Tue, 3 Dec 2013 15:30:33 -0500
Subject: [PATCH] FIX: CSRF token retrieval bug

---
 .../discourse/controllers/login_controller.js | 101 +++++++++---------
 .../javascripts/discourse/mixins/ajax.js      |   2 +-
 2 files changed, 53 insertions(+), 50 deletions(-)

diff --git a/app/assets/javascripts/discourse/controllers/login_controller.js b/app/assets/javascripts/discourse/controllers/login_controller.js
index 58664f6ff6a..f6e2f0dfc06 100644
--- a/app/assets/javascripts/discourse/controllers/login_controller.js
+++ b/app/assets/javascripts/discourse/controllers/login_controller.js
@@ -31,41 +31,62 @@ Discourse.LoginController = Discourse.Controller.extend(Discourse.ModalFunctiona
     return this.get('loggingIn') || this.blank('loginName') || this.blank('loginPassword');
   }.property('loginName', 'loginPassword', 'loggingIn'),
 
-  login: function() {
-    this.set('loggingIn', true);
 
-    var loginController = this;
-    Discourse.ajax("/session", {
-      data: { login: this.get('loginName'), password: this.get('loginPassword') },
-      type: 'POST'
-    }).then(function (result) {
-      // Successful login
-      if (result.error) {
-        loginController.set('loggingIn', false);
-        if( result.reason === 'not_activated' ) {
-          loginController.send('showNotActivated', {
-            username: loginController.get('loginName'),
-            sentTo: result.sent_to_email,
-            currentEmail: result.current_email
-          });
+  actions: {
+    login: function() {
+      this.set('loggingIn', true);
+
+      var loginController = this;
+      Discourse.ajax("/session", {
+        data: { login: this.get('loginName'), password: this.get('loginPassword') },
+        type: 'POST'
+      }).then(function (result) {
+        // Successful login
+        if (result.error) {
+          loginController.set('loggingIn', false);
+          if( result.reason === 'not_activated' ) {
+            loginController.send('showNotActivated', {
+              username: loginController.get('loginName'),
+              sentTo: result.sent_to_email,
+              currentEmail: result.current_email
+            });
+          }
+          loginController.flash(result.error, 'error');
+        } else {
+          // Trigger the browser's password manager using the hidden static login form:
+          var $hidden_login_form = $('#hidden-login-form');
+          $hidden_login_form.find('input[name=username]').val(loginController.get('loginName'));
+          $hidden_login_form.find('input[name=password]').val(loginController.get('loginPassword'));
+          $hidden_login_form.find('input[name=redirect]').val(window.location.href);
+          $hidden_login_form.submit();
         }
-        loginController.flash(result.error, 'error');
+
+      }, function(result) {
+        // Failed to login
+        loginController.flash(I18n.t('login.error'), 'error');
+        loginController.set('loggingIn', false);
+      });
+
+      return false;
+    },
+
+    externalLogin: function(loginMethod){
+      var name = loginMethod.get("name");
+      var customLogin = loginMethod.get("customLogin");
+
+      if(customLogin){
+        customLogin();
       } else {
-        // Trigger the browser's password manager using the hidden static login form:
-        var $hidden_login_form = $('#hidden-login-form');
-        $hidden_login_form.find('input[name=username]').val(loginController.get('loginName'));
-        $hidden_login_form.find('input[name=password]').val(loginController.get('loginPassword'));
-        $hidden_login_form.find('input[name=redirect]').val(window.location.href);
-        $hidden_login_form.submit();
+        this.set('authenticate', name);
+        var left = this.get('lastX') - 400;
+        var top = this.get('lastY') - 200;
+
+        var height = loginMethod.get("frameHeight") || 400;
+        var width = loginMethod.get("frameWidth") || 800;
+        window.open(Discourse.getURL("/auth/" + name), "_blank",
+            "menubar=no,status=no,height=" + height + ",width=" + width +  ",left=" + left + ",top=" + top);
       }
-
-    }, function(result) {
-      // Failed to login
-      loginController.flash(I18n.t('login.error'), 'error');
-      loginController.set('loggingIn', false);
-    });
-
-    return false;
+    }
   },
 
   authMessage: (function() {
@@ -76,24 +97,6 @@ Discourse.LoginController = Discourse.Controller.extend(Discourse.ModalFunctiona
     }
   }).property('authenticate'),
 
-  externalLogin: function(loginMethod){
-    var name = loginMethod.get("name");
-    var customLogin = loginMethod.get("customLogin");
-
-    if(customLogin){
-      customLogin();
-    } else {
-      this.set('authenticate', name);
-      var left = this.get('lastX') - 400;
-      var top = this.get('lastY') - 200;
-
-      var height = loginMethod.get("frameHeight") || 400;
-      var width = loginMethod.get("frameWidth") || 800;
-      window.open(Discourse.getURL("/auth/" + name), "_blank",
-          "menubar=no,status=no,height=" + height + ",width=" + width +  ",left=" + left + ",top=" + top);
-    }
-  },
-
   authenticationComplete: function(options) {
     if (options.requires_invite) {
       this.flash(I18n.t('login.requires_invite'), 'success');
diff --git a/app/assets/javascripts/discourse/mixins/ajax.js b/app/assets/javascripts/discourse/mixins/ajax.js
index 85b3814c2f1..8ebf34212db 100644
--- a/app/assets/javascripts/discourse/mixins/ajax.js
+++ b/app/assets/javascripts/discourse/mixins/ajax.js
@@ -83,7 +83,7 @@ Discourse.Ajax = Em.Mixin.create({
       return Ember.Deferred.promise(function(promise){
         $.ajax(Discourse.getURL('/session/csrf'))
            .success(function(result){
-              Discourse.csrfToken = result.csrf;
+              Discourse.Session.currentProp('csrfToken', result.csrf);
               performAjax(promise);
            });
       });