diff --git a/conf/enumerate.go b/conf/enumerate.go index a0cca6f6..ca31bbfb 100644 --- a/conf/enumerate.go +++ b/conf/enumerate.go @@ -234,10 +234,8 @@ func URLForWithCdnImage(p string) string { cdn := beego.AppConfig.DefaultString("cdnimg", "") //如果没有设置cdn,则使用baseURL拼接 if cdn == "" { - baseUrl := beego.AppConfig.DefaultString("baseurl", "") - if baseUrl == "" { - baseUrl = BaseUrl - } + baseUrl := beego.AppConfig.DefaultString("baseurl", "/") + if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") { return baseUrl + p[1:] } @@ -267,10 +265,8 @@ func URLForWithCdnCss(p string, v ...string) string { } //如果没有设置cdn,则使用baseURL拼接 if cdn == "" { - baseUrl := beego.AppConfig.DefaultString("baseurl", "") - if baseUrl == "" { - baseUrl = BaseUrl - } + baseUrl := beego.AppConfig.DefaultString("baseurl", "/") + if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") { return baseUrl + p[1:] } @@ -302,10 +298,8 @@ func URLForWithCdnJs(p string, v ...string) string { //如果没有设置cdn,则使用baseURL拼接 if cdn == "" { - baseUrl := beego.AppConfig.DefaultString("baseurl", "") - if baseUrl == "" { - baseUrl = BaseUrl - } + baseUrl := beego.AppConfig.DefaultString("baseurl", "/") + if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") { return baseUrl + p[1:] } diff --git a/controllers/AccountController.go b/controllers/AccountController.go index d5672482..0e099a78 100644 --- a/controllers/AccountController.go +++ b/controllers/AccountController.go @@ -12,6 +12,7 @@ import ( "github.com/lifei6671/mindoc/conf" "github.com/lifei6671/mindoc/models" "github.com/lifei6671/mindoc/utils" + "html/template" ) // AccountController 用户登录与注册 @@ -19,9 +20,39 @@ type AccountController struct { BaseController } +func (c *AccountController) Prepare() { + c.BaseController.Prepare() + c.EnableXSRF = true + c.Data["xsrfdata"]=template.HTML(c.XSRFFormHTML()) + if c.Ctx.Input.IsPost() { + token := c.Ctx.Input.Query("_xsrf") + if token == "" { + token = c.Ctx.Request.Header.Get("X-Xsrftoken") + } + if token == "" { + token = c.Ctx.Request.Header.Get("X-Csrftoken") + } + if token == "" { + if c.IsAjax() { + c.JsonResult(403,"非法请求") + } else { + c.ShowErrorPage(403, "非法请求") + } + } + xsrfToken := c.XSRFToken() + if xsrfToken != token { + if c.IsAjax() { + c.JsonResult(403,"非法请求") + } else { + c.ShowErrorPage(403, "非法请求") + } + } + } +} // Login 用户登录 func (c *AccountController) Login() { c.Prepare() + c.TplName = "account/login.tpl" if member, ok := c.GetSession(conf.LoginSessionName).(models.Member); ok && member.MemberId > 0 { diff --git a/views/account/find_password_setp1.tpl b/views/account/find_password_setp1.tpl index d94ce2d7..3771e89d 100644 --- a/views/account/find_password_setp1.tpl +++ b/views/account/find_password_setp1.tpl @@ -34,6 +34,7 @@
+ {{ .xsrfdata }}

找回密码

diff --git a/views/account/find_password_setp2.tpl b/views/account/find_password_setp2.tpl index e49c2b8e..b57e3876 100644 --- a/views/account/find_password_setp2.tpl +++ b/views/account/find_password_setp2.tpl @@ -34,6 +34,7 @@