From 29b2db8198f235b1187cb565664e27b8f4173628 Mon Sep 17 00:00:00 2001
From: Jeff Becker <ampernand@gmail.com>
Date: Tue, 12 Apr 2016 19:39:56 -0400
Subject: [PATCH] update csrf

---
 contrib/static/mod.js | 89 ++++++++++++++++++++++++-------------------
 1 file changed, 49 insertions(+), 40 deletions(-)

diff --git a/contrib/static/mod.js b/contrib/static/mod.js
index f28d334..c87b775 100644
--- a/contrib/static/mod.js
+++ b/contrib/static/mod.js
@@ -143,7 +143,7 @@ function nntpchan_delete() {
 }
 
 function nntpchan_mod(mod_action, result_elem) {
-
+  
   // get the element
   var input = document.getElementById("nntpchan_mod_target");
   var target = null;
@@ -165,50 +165,59 @@ function nntpchan_mod(mod_action, result_elem) {
     elem.removeChild(elem.firstChild);
   }
 
-
-  // fire off ajax
-  var ajax = new XMLHttpRequest();
-  ajax.onreadystatechange = function() {
-    if (ajax.readyState == XMLHttpRequest.DONE) {
-      var status = ajax.status;
-      // we gud?
-      if (status == 200) {
-        // yah
-        var txt = ajax.responseText;
-        var j = JSON.parse(txt);
-        if (j.error) {
-          var e = document.createTextNode(j.error);
-          elem.appendChild(e);
-        } else {
-          if (mod_action.handle) {
-            var result = mod_action.handle(j);
-            if (result) {
-              elem.appendChild(result);
+  var csrf_ajax = new XMLHttpRequest();
+  csrf_ajax.onreadystatechange = function() {
+    if (csrf_ajax.readyState == XMLHttpRequest.DONE) {
+      // get csrf token
+      var csrf = csrf_ajax.getResponseHeader("X-CSRF-Token");
+      // fire off ajax
+      var ajax = new XMLHttpRequest();
+      ajax.onreadystatechange = function() {
+        if (ajax.readyState == XMLHttpRequest.DONE) {
+          var status = ajax.status;
+          // we gud?
+          if (status == 200) {
+            // yah
+            var txt = ajax.responseText;
+            var j = JSON.parse(txt);
+            if (j.error) {
+              var e = document.createTextNode(j.error);
+              elem.appendChild(e);
+            } else {
+              if (mod_action.handle) {
+                var result = mod_action.handle(j);
+                if (result) {
+                  elem.appendChild(result);
+                }
+              }
             }
+          } else if (status) {
+            // nah
+            // http error
+            elem.innerHTML = "error: HTTP "+status;
+          }
+          // clear input
+          if (input) {
+            input.value = "";
           }
         }
-      } else if (status) {
-        // nah
-        // http error
-        elem.innerHTML = "error: HTTP "+status;
       }
-      // clear input
-      if (input) {
-        input.value = "";
+      ajax.setRequestHeader("X-CSRF-Token", csrf);
+      if (mod_action.name) {
+        var url = mod_action.name + "/" + target;
+        ajax.open(mod_action.method || "GET", url);
+        var data = mod_action.data;
+        if (data) {
+          ajax.setRequestHeader("Content-type","text/json");
+          ajax.send(JSON.stringify(data));
+        } else {
+          ajax.send();
+        }
+      } else {
+        alert("mod action has no name");
       }
     }
   }
-  if (mod_action.name) {
-    var url = mod_action.name + "/" + target;
-    ajax.open(mod_action.method || "GET", url);
-    var data = mod_action.data;
-    if (data) {
-      ajax.setRequestHeader("Content-type","text/json");
-      ajax.send(JSON.stringify(data));
-    } else {
-      ajax.send();
-    }
-  } else {
-    alert("mod action has no name");
-  }
+  csrf_ajax.open("");
+  csrf_ajax.send();
 }