From 85094ff8caac585cbff260fe89a6f21df241fd47 Mon Sep 17 00:00:00 2001
From: Caio Carrara <ccarrara@thoughtworks.com>
Date: Fri, 24 Jun 2016 14:58:39 -0300
Subject: Fix xsrf-token verification in async calls

The previous behaviour only checked xsrf-token in headers, but it can be
informed in a token as well.
---
 service/pixelated/resources/root_resource.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'service/pixelated/resources/root_resource.py')

diff --git a/service/pixelated/resources/root_resource.py b/service/pixelated/resources/root_resource.py
index c9808a03..6886dda6 100644
--- a/service/pixelated/resources/root_resource.py
+++ b/service/pixelated/resources/root_resource.py
@@ -70,7 +70,7 @@ class RootResource(BaseResource):
 
         ajax_request = (request.getHeader('x-requested-with') == 'XMLHttpRequest')
         if ajax_request:
-            xsrf_header = request.getHeader('x-xsrf-token')
+            xsrf_header = xsrf_token or request.getHeader('x-xsrf-token')
             return xsrf_header and xsrf_header == xsrf_token
 
         get_request = (request.method == 'GET')
-- 
cgit v1.2.3