From 50e392d8dea8dfe36153508e2f24000df0e4b1eb Mon Sep 17 00:00:00 2001
From: Agate <me@agate.blue>
Date: Tue, 9 Jun 2020 14:32:02 +0200
Subject: [PATCH] Fix #1153: post issue on some URLs due to missing CSRF token

---
 front/src/components/audio/Player.vue             |  1 -
 front/src/components/audio/SearchBar.vue          |  5 ++++-
 front/src/components/library/FileUploadWidget.vue |  6 +++++-
 front/src/components/library/TagsSelector.vue     |  5 ++++-
 front/src/components/library/radios/Filter.vue    |  4 +++-
 front/src/utils.js                                | 12 ++++++++++++
 6 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/front/src/components/audio/Player.vue b/front/src/components/audio/Player.vue
index 1296ecb97..a6d638995 100644
--- a/front/src/components/audio/Player.vue
+++ b/front/src/components/audio/Player.vue
@@ -436,7 +436,6 @@ export default {
           param = "token"
           value = this.$store.state.auth.scopedTokens.listen
         }
-        console.log('HELLO', param, value, this.$store.state.auth.scopedTokens)
         sources.forEach(e => {
           e.url = url.updateQueryString(e.url, param, value)
         })
diff --git a/front/src/components/audio/SearchBar.vue b/front/src/components/audio/SearchBar.vue
index 60650c52e..8df8b1826 100644
--- a/front/src/components/audio/SearchBar.vue
+++ b/front/src/components/audio/SearchBar.vue
@@ -70,7 +70,10 @@ export default {
           if (!self.$store.state.auth.authenticated) {
             return xhrObject
           }
-          xhrObject.setRequestHeader('Authorization', self.$store.getters['auth/header'])
+
+          if (self.$store.state.auth.oauth.accessToken) {
+            xhrObject.setRequestHeader('Authorization', self.$store.getters['auth/header'])
+          }
           return xhrObject
         },
         onResponse: function (initialResponse) {
diff --git a/front/src/components/library/FileUploadWidget.vue b/front/src/components/library/FileUploadWidget.vue
index 7557d61e4..c91916c03 100644
--- a/front/src/components/library/FileUploadWidget.vue
+++ b/front/src/components/library/FileUploadWidget.vue
@@ -1,5 +1,6 @@
 <script>
 import FileUpload from 'vue-upload-component'
+import {setCsrf} from '@/utils'
 
 export default {
   extends: FileUpload,
@@ -32,7 +33,10 @@ export default {
       form.append(this.name, file.file, filename)
       let xhr = new XMLHttpRequest()
       xhr.open('POST', file.postAction)
-      xhr.setRequestHeader('Authorization', this.$store.getters['auth/header'])
+      setCsrf(xhr)
+      if (this.$store.state.auth.oauth.accessToken) {
+        xhr.setRequestHeader('Authorization', this.$store.getters['auth/header'])
+      }
       return this.uploadXhr(xhr, file, form)
     }
   }
diff --git a/front/src/components/library/TagsSelector.vue b/front/src/components/library/TagsSelector.vue
index 87a40401e..5b2fa0c96 100644
--- a/front/src/components/library/TagsSelector.vue
+++ b/front/src/components/library/TagsSelector.vue
@@ -39,7 +39,10 @@ export default {
         apiSettings: {
           url: this.$store.getters['instance/absoluteUrl']('/api/v1/tags/?name__startswith={query}&ordering=length&page_size=5'),
           beforeXHR: function (xhrObject) {
-            xhrObject.setRequestHeader('Authorization', self.$store.getters['auth/header'])
+
+            if (self.$store.state.auth.oauth.accessToken) {
+              xhrObject.setRequestHeader('Authorization', self.$store.getters['auth/header'])
+            }
             return xhrObject
           },
           onResponse(response) {
diff --git a/front/src/components/library/radios/Filter.vue b/front/src/components/library/radios/Filter.vue
index 9830d870d..d871d8867 100644
--- a/front/src/components/library/radios/Filter.vue
+++ b/front/src/components/library/radios/Filter.vue
@@ -114,7 +114,9 @@ export default {
         settings.apiSettings = {
           url: self.$store.getters['instance/absoluteUrl'](f.autocomplete + '?' + f.autocomplete_qs),
           beforeXHR: function (xhrObject) {
-            xhrObject.setRequestHeader('Authorization', self.$store.getters['auth/header'])
+            if (self.$store.state.auth.oauth.accessToken) {
+              xhrObject.setRequestHeader('Authorization', self.$store.getters['auth/header'])
+            }
             return xhrObject
           },
           onResponse: function (initialResponse) {
diff --git a/front/src/utils.js b/front/src/utils.js
index ad763fe00..50d308288 100644
--- a/front/src/utils.js
+++ b/front/src/utils.js
@@ -33,3 +33,15 @@ export function parseAPIErrors(responseData, parentField) {
   }
   return errors
 }
+
+export function getCookie(name) {
+  return document.cookie
+  .split('; ')
+  .find(row => row.startsWith(name))
+  .split('=')[1];
+}
+export function setCsrf(xhr) {
+  if (getCookie('csrftoken')) {
+    xhr.setRequestHeader('X-CSRFToken', getCookie('csrftoken'))
+  }
+}