From 8a57ff6824107a915ffd0deabb034e772e0b2a1a Mon Sep 17 00:00:00 2001
From: Anand Doshi <anand@erpnext.com>
Date: Wed, 23 Sep 2015 17:08:19 +0530
Subject: [PATCH] [fix] csrf token for website if switch to desk

---
 frappe/core/doctype/file/file.py        |  2 +-
 frappe/patches/v6_1/rename_file_data.py |  2 ++
 frappe/public/build.json                |  1 +
 frappe/public/js/frappe/request.js      |  2 +-
 frappe/templates/base.html              |  2 ++
 frappe/templates/pages/desk.html        |  2 ++
 frappe/templates/pages/desk.py          |  3 ++-
 frappe/website/js/website.js            |  1 +
 frappe/website/render.py                | 13 +++++++++++++
 9 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/frappe/core/doctype/file/file.py b/frappe/core/doctype/file/file.py
index 3c77aa2446..25be25a1c4 100644
--- a/frappe/core/doctype/file/file.py
+++ b/frappe/core/doctype/file/file.py
@@ -91,7 +91,7 @@ class File(NestedSet):
 			frappe.throw(_("Folder is mandatory"))
 
 	def validate_duplicate_entry(self):
-		if not self.flags.ignore_duplicate_entry_error:
+		if not self.flags.ignore_duplicate_entry_error and not self.is_folder:
 			# check duplicate assignement
 			n_records = frappe.db.sql("""select name from `tabFile`
 				where content_hash=%s
diff --git a/frappe/patches/v6_1/rename_file_data.py b/frappe/patches/v6_1/rename_file_data.py
index 166b420464..64af2e1411 100644
--- a/frappe/patches/v6_1/rename_file_data.py
+++ b/frappe/patches/v6_1/rename_file_data.py
@@ -14,6 +14,8 @@ def execute():
 	for file in frappe.get_all("File", filters={"is_folder": 0}):
 		file = frappe.get_doc("File", file.name)
 		file.flags.ignore_folder_validate = True
+		file.flags.ignore_duplicate_entry_error = True
+		file.flags.ignore_links = True
 		file.set_folder_name()
 		file.save()
 
diff --git a/frappe/public/build.json b/frappe/public/build.json
index 8428cf4022..429cda87e0 100644
--- a/frappe/public/build.json
+++ b/frappe/public/build.json
@@ -15,6 +15,7 @@
 		"public/js/lib/moment/moment.min.js",
 		"public/js/lib/highlight.pack.js",
 		"public/js/frappe/class.js",
+		"public/js/lib/microtemplate.js",
 		"website/js/website.js",
 		"public/js/lib/socket.io.min.js"
 	],
diff --git a/frappe/public/js/frappe/request.js b/frappe/public/js/frappe/request.js
index 6139e6d03a..d4f197390d 100644
--- a/frappe/public/js/frappe/request.js
+++ b/frappe/public/js/frappe/request.js
@@ -121,7 +121,7 @@ frappe.request.call = function(opts) {
 		type: opts.type,
 		dataType: opts.dataType || 'json',
 		async: opts.async,
-		headers: { "X-Frappe-CSRF-Token": frappe.boot.csrf_token }
+		headers: { "X-Frappe-CSRF-Token": frappe.csrf_token }
 	};
 
 	frappe.last_request = ajax_args.data;
diff --git a/frappe/templates/base.html b/frappe/templates/base.html
index 851c04dbfc..3b282bc136 100644
--- a/frappe/templates/base.html
+++ b/frappe/templates/base.html
@@ -113,6 +113,8 @@
 		</script>
 	{%- endblock %}
 
+	<!-- csrf_token -->
+
     {%- block body_include %}{{ body_include or "" }}{% endblock -%}
 </body>
 </html>
diff --git a/frappe/templates/pages/desk.html b/frappe/templates/pages/desk.html
index 23f0dfa7c4..33d9c9161c 100644
--- a/frappe/templates/pages/desk.html
+++ b/frappe/templates/pages/desk.html
@@ -53,6 +53,8 @@
 
 	frappe.boot = {{ boot }};
 
+	frappe.csrf_token = "{{ csrf_token }}";
+
 	</script>
 
 	{% for include in include_js %}
diff --git a/frappe/templates/pages/desk.py b/frappe/templates/pages/desk.py
index f1ce2a8daa..1ad4134fc3 100644
--- a/frappe/templates/pages/desk.py
+++ b/frappe/templates/pages/desk.py
@@ -21,7 +21,7 @@ def get_context(context):
 	boot = frappe.sessions.get()
 
 	# this needs commit
-	boot["csrf_token"] = frappe.sessions.get_csrf_token()
+	csrf_token = frappe.sessions.get_csrf_token()
 
 	frappe.db.commit()
 
@@ -35,6 +35,7 @@ def get_context(context):
 		"include_js": hooks["app_include_js"],
 		"include_css": hooks["app_include_css"],
 		"boot": boot if context.get("for_mobile") else boot_json,
+		"csrf_token": csrf_token,
 		"background_image": boot.user.background_image or boot.default_background_image,
 		"google_analytics_id": frappe.conf.get("google_analytics_id")
 	}
diff --git a/frappe/website/js/website.js b/frappe/website/js/website.js
index 77bd6ebd08..31695f9680 100644
--- a/frappe/website/js/website.js
+++ b/frappe/website/js/website.js
@@ -35,6 +35,7 @@ $.extend(frappe, {
 			url: "/",
 			data: opts.args,
 			dataType: "json",
+			headers: { "X-Frappe-CSRF-Token": frappe.csrf_token },
 			statusCode: {
 				404: function(xhr) {
 					frappe.msgprint(__("Not found"));
diff --git a/frappe/website/render.py b/frappe/website/render.py
index e06f7b12b9..c83d745ccb 100644
--- a/frappe/website/render.py
+++ b/frappe/website/render.py
@@ -4,6 +4,7 @@
 from __future__ import unicode_literals
 import frappe
 from frappe import _
+import frappe.sessions
 from frappe.utils import cstr
 import mimetypes, json
 from werkzeug.wrappers import Response
@@ -54,6 +55,8 @@ def render(path, http_status_code=None):
 		data = render_page(path)
 		http_status_code = 500
 
+	data = add_csrf_token(data)
+
 	return build_response(path, data, http_status_code or 200)
 
 def set_lang():
@@ -87,6 +90,16 @@ def get_doctype_from_path(path):
 
 	return None, None
 
+def add_csrf_token(data):
+	if is_ajax() or frappe.session.user == "Guest" or not frappe.local.session.data.csrf_token:
+		pass
+
+	else:
+		data = data.replace("<!-- csrf_token -->", '<script>frappe.csrf_token = "{0}";</script>'.format(
+			frappe.local.session.data.csrf_token))
+
+	return data
+
 def build_response(path, data, http_status_code, headers=None):
 	# build response
 	response = Response()