From 27d42d194c7608a223d634599405287e3cca89e9 Mon Sep 17 00:00:00 2001
From: lifei6671 <longfei6671@163.com>
Date: Wed, 14 Nov 2018 12:02:52 +0800
Subject: [PATCH] =?UTF-8?q?feat:1=E3=80=81=E5=A2=9E=E5=8A=A0=E7=99=BB?=
 =?UTF-8?q?=E5=BD=95=E6=B3=A8=E5=86=8C=E8=B7=A8=E7=AB=99=E6=94=BB=E5=87=BB?=
 =?UTF-8?q?=E9=98=B2=E6=8A=A4=202=E3=80=81=E7=A7=BB=E9=99=A4=E4=B8=8A?=
 =?UTF-8?q?=E4=BC=A0=E5=9B=BE=E7=89=87=E9=BB=98=E8=AE=A4=E7=9A=84=E5=9F=9F?=
 =?UTF-8?q?=E5=90=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 conf/enumerate.go                     | 18 ++++++----------
 controllers/AccountController.go      | 31 +++++++++++++++++++++++++++
 views/account/find_password_setp1.tpl |  1 +
 views/account/find_password_setp2.tpl |  1 +
 views/account/login.tpl               |  1 +
 views/account/register.tpl            |  1 +
 6 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/conf/enumerate.go b/conf/enumerate.go
index a0cca6f6..ca31bbfb 100644
--- a/conf/enumerate.go
+++ b/conf/enumerate.go
@@ -234,10 +234,8 @@ func URLForWithCdnImage(p string) string {
 	cdn := beego.AppConfig.DefaultString("cdnimg", "")
 	//如果没有设置cdn，则使用baseURL拼接
 	if cdn == "" {
-		baseUrl := beego.AppConfig.DefaultString("baseurl", "")
-		if baseUrl == "" {
-			baseUrl = BaseUrl
-		}
+		baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
+
 		if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
 			return baseUrl + p[1:]
 		}
@@ -267,10 +265,8 @@ func URLForWithCdnCss(p string, v ...string) string {
 	}
 	//如果没有设置cdn，则使用baseURL拼接
 	if cdn == "" {
-		baseUrl := beego.AppConfig.DefaultString("baseurl", "")
-		if baseUrl == "" {
-			baseUrl = BaseUrl
-		}
+		baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
+
 		if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
 			return baseUrl + p[1:]
 		}
@@ -302,10 +298,8 @@ func URLForWithCdnJs(p string, v ...string) string {
 
 	//如果没有设置cdn，则使用baseURL拼接
 	if cdn == "" {
-		baseUrl := beego.AppConfig.DefaultString("baseurl", "")
-		if baseUrl == "" {
-			baseUrl = BaseUrl
-		}
+		baseUrl := beego.AppConfig.DefaultString("baseurl", "/")
+
 		if strings.HasPrefix(p, "/") && strings.HasSuffix(baseUrl, "/") {
 			return baseUrl + p[1:]
 		}
diff --git a/controllers/AccountController.go b/controllers/AccountController.go
index d5672482..0e099a78 100644
--- a/controllers/AccountController.go
+++ b/controllers/AccountController.go
@@ -12,6 +12,7 @@ import (
 	"github.com/lifei6671/mindoc/conf"
 	"github.com/lifei6671/mindoc/models"
 	"github.com/lifei6671/mindoc/utils"
+	"html/template"
 )
 
 // AccountController 用户登录与注册
@@ -19,9 +20,39 @@ type AccountController struct {
 	BaseController
 }
 
+func (c *AccountController) Prepare() {
+	c.BaseController.Prepare()
+	c.EnableXSRF = true
+	c.Data["xsrfdata"]=template.HTML(c.XSRFFormHTML())
+	if c.Ctx.Input.IsPost() {
+		token := c.Ctx.Input.Query("_xsrf")
+		if token == "" {
+			token = c.Ctx.Request.Header.Get("X-Xsrftoken")
+		}
+		if token == "" {
+			token = c.Ctx.Request.Header.Get("X-Csrftoken")
+		}
+		if token == "" {
+			if c.IsAjax() {
+				c.JsonResult(403,"非法请求")
+			} else {
+				c.ShowErrorPage(403, "非法请求")
+			}
+		}
+		xsrfToken := c.XSRFToken()
+		if xsrfToken != token {
+			if c.IsAjax() {
+				c.JsonResult(403,"非法请求")
+			} else {
+				c.ShowErrorPage(403, "非法请求")
+			}
+		}
+	}
+}
 // Login 用户登录
 func (c *AccountController) Login() {
 	c.Prepare()
+
 	c.TplName = "account/login.tpl"
 
 	if member, ok := c.GetSession(conf.LoginSessionName).(models.Member); ok && member.MemberId > 0 {
diff --git a/views/account/find_password_setp1.tpl b/views/account/find_password_setp1.tpl
index d94ce2d7..3771e89d 100644
--- a/views/account/find_password_setp1.tpl
+++ b/views/account/find_password_setp1.tpl
@@ -34,6 +34,7 @@
     <div class="row login">
         <div class="login-body">
             <form role="form" method="post" id="findPasswordForm">
+            {{ .xsrfdata }}
                 <h3 class="text-center">找回密码</h3>
                 <div class="form-group">
                     <div class="input-group">
diff --git a/views/account/find_password_setp2.tpl b/views/account/find_password_setp2.tpl
index e49c2b8e..b57e3876 100644
--- a/views/account/find_password_setp2.tpl
+++ b/views/account/find_password_setp2.tpl
@@ -34,6 +34,7 @@
     <div class="row login">
         <div class="login-body">
             <form role="form" method="post" id="findPasswordForm" action="{{urlfor "AccountController.ValidEmail"}}">
+            {{ .xsrfdata }}
                 <input type="hidden" name="token" value="{{.Token}}">
                 <input type="hidden" name="mail" value="{{.Email}}">
                 <h3 class="text-center">找回密码</h3>
diff --git a/views/account/login.tpl b/views/account/login.tpl
index 8766a32e..9aaf2a47 100644
--- a/views/account/login.tpl
+++ b/views/account/login.tpl
@@ -29,6 +29,7 @@
     <div class="row login">
         <div class="login-body">
             <form role="form" method="post">
+            {{ .xsrfdata }}
                 <h3 class="text-center">用户登录</h3>
                 <div class="form-group">
                     <div class="input-group">
diff --git a/views/account/register.tpl b/views/account/register.tpl
index 3c913553..9861c2d6 100644
--- a/views/account/register.tpl
+++ b/views/account/register.tpl
@@ -34,6 +34,7 @@
     <div class="row login">
         <div class="login-body">
             <form role="form" method="post" id="registerForm">
+            {{ .xsrfdata }}
                 <h3 class="text-center">用户注册</h3>
                 <div class="form-group">
                     <div class="input-group">