From 7045c7f3e2948ced41647d0f4da01b6b070dffab Mon Sep 17 00:00:00 2001
From: Jordan <jmwright798@gmail.com>
Date: Mon, 3 Feb 2014 23:41:31 -0600
Subject: [PATCH] Refined CSRF Protection Exempt Glob (/api/* to /api/*/*) to
 provide CSRF protection /api/reset Added stub for /api/campaigns/:id/launch

---
 controllers/api.go      | 4 ++++
 controllers/route.go    | 5 ++++-
 templates/settings.html | 1 -
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/controllers/api.go b/controllers/api.go
index 58630ffd..271f74b9 100644
--- a/controllers/api.go
+++ b/controllers/api.go
@@ -126,6 +126,10 @@ func API_Campaigns_Id(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func API_Campaigns_Id_Launch(w http.ResponseWriter, r *http.Request) {
+	http.Redirect(w, r, "/", 302)
+}
+
 // API_Groups returns details about the requested group. If the campaign is not
 // valid, API_Groups returns null.
 func API_Groups(w http.ResponseWriter, r *http.Request) {
diff --git a/controllers/route.go b/controllers/route.go
index 7f429f50..c8a80b53 100644
--- a/controllers/route.go
+++ b/controllers/route.go
@@ -33,6 +33,7 @@ func CreateRouter() *nosurf.CSRFHandler {
 	api.HandleFunc("/reset", Use(API_Reset, mid.RequireLogin))
 	api.HandleFunc("/campaigns", Use(API_Campaigns, mid.RequireAPIKey))
 	api.HandleFunc("/campaigns/{id:[0-9]+}", Use(API_Campaigns_Id, mid.RequireAPIKey))
+	api.HandleFunc("/campaigns/id:[0-9]+}", Use(API_Campaigns_Id_Launch, mid.RequireAPIKey))
 	api.HandleFunc("/groups", Use(API_Groups, mid.RequireAPIKey))
 	api.HandleFunc("/groups/{id:[0-9]+}", Use(API_Groups_Id, mid.RequireAPIKey))
 
@@ -41,7 +42,7 @@ func CreateRouter() *nosurf.CSRFHandler {
 
 	//Setup CSRF Protection
 	csrfHandler := nosurf.New(router)
-	csrfHandler.ExemptGlob("/api/*")
+	csrfHandler.ExemptGlob("/api/*/*")
 	csrfHandler.ExemptGlob("/static/*")
 	return csrfHandler
 }
@@ -98,8 +99,10 @@ func Settings(w http.ResponseWriter, r *http.Request) {
 		User    models.User
 		Title   string
 		Flashes []interface{}
+		Token   string
 	}{Title: "Settings", User: ctx.Get(r, "user").(models.User)}
 	session := ctx.Get(r, "session").(*sessions.Session)
+	params.Token = nosurf.Token(r)
 	params.Flashes = session.Flashes()
 	session.Save(r, w)
 	getTemplate(w, "settings").ExecuteTemplate(w, "base", params)
diff --git a/templates/settings.html b/templates/settings.html
index f0fb9be3..23497bb8 100644
--- a/templates/settings.html
+++ b/templates/settings.html
@@ -44,7 +44,6 @@
                 <button class="btn btn-primary"><i class="fa fa-refresh" type="submit"></i> Reset</button>
                 <input type="hidden" name="csrf_token" value={{%.Token%}}/>
             </form>
-            </a>
         </div>
         <br />
         <button class="btn btn-primary">Save</button>