zulip/static/js/setup.js

// Miscellaneous early setup.

var csrf_token;
$(function () {
    // Display loading indicator.  This disappears after the first
    // get_updates completes.
    if (page_params.have_initial_messages) {
        util.make_loading_indicator($('#page_loading_indicator'), {text: 'Loading...'});
    } else if (!page_params.needs_tutorial) {
        util.show_first_run_message();
    }

    // This requires that we used Django's {% csrf_token %} somewhere on the page.
    csrf_token = $('input[name="csrfmiddlewaretoken"]').attr('value');

    $.ajaxSetup({
        beforeSend: function (xhr, settings) {
            if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
                // Only send the token to relative URLs i.e. locally.
                xhr.setRequestHeader("X-CSRFToken", csrf_token);
            }
        }
    });

    // For some reason, jQuery wants this to be attached to an element.
    $('body').ajaxError(function (event, xhr) {
        if (xhr.status === 401) {
            // We got logged out somehow, perhaps from another window or a session timeout.
            // We could display an error message, but jumping right to the login page seems
            // smoother and conveys the same information.
            window.location.replace('/accounts/login');
        }
    });

    if (page_params.password_auth_enabled !== false) {
        // zxcvbn.js is pretty big, and is only needed on password change, so load it asynchronously.
        $.getScript('/static/third/zxcvbn/zxcvbn.js');
    }
});
Move some early setup code (imported from commit ca57718e4a71f43bbf229d2a6e8c70174bb3583f) 2012-10-03 22:07:04 +02:00			`// Miscellaneous early setup.`

Make csrf_token global (imported from commit 734d9c886c3a77d2ba40bd449cb089a00807a656) 2012-11-14 17:31:29 +01:00			`var csrf_token;`
Move some early setup code (imported from commit ca57718e4a71f43bbf229d2a6e8c70174bb3583f) 2012-10-03 22:07:04 +02:00			`$(function () {`
			`// Display loading indicator. This disappears after the first`
			`// get_updates completes.`
Move "page parameters" (email, enter_sends, etc) into a single object (imported from commit 842b2371bf6364982f1358f1cd2d91118c7fb2bf) 2013-03-25 23:26:14 +01:00			`if (page_params.have_initial_messages) {`
Make make_loading_indicator take its optional text via an options argument (imported from commit 935f9049c00183f52bad80d54520f81efceb3e49) 2013-07-10 19:33:00 +02:00			`util.make_loading_indicator($('#page_loading_indicator'), {text: 'Loading...'});`
Add the new tutorial steps. (imported from commit 9269acbcf58332002b1d45c0134ccb2db980f05c) 2013-06-27 22:18:28 +02:00			`} else if (!page_params.needs_tutorial) {`
Properly start tutorial on first run, even if you have new messages. We were previously having an issue where the tutorial could be pre-empted if you got a few messages while you were first logging in. I have some reservations about this being slightly fragile, and a better approach might be to just have a bit that we use to determine whether or not you've already seen a tutorial. (Or potentially that checks whether or not you've ever sent a message.) (imported from commit f8858f64a36bcd25887b76314caff283929f340c) 2013-03-12 04:54:17 +01:00			`util.show_first_run_message();`
Misc. style fixes (imported from commit b1f32a19a280e3efacf207bfe22bd10eb3aec537) 2012-10-03 23:22:51 +02:00			`}`
Move some early setup code (imported from commit ca57718e4a71f43bbf229d2a6e8c70174bb3583f) 2012-10-03 22:07:04 +02:00
Get the CSRF token from the DOM rather than a cookie This simplifies the code, and lets us set the CSRF cookie as HttpOnly, which adds a little bit of security. (imported from commit 9d5923a1acf19bd27e6e1d55cf627049526de245) 2012-10-26 21:49:47 +02:00			`// This requires that we used Django's {% csrf_token %} somewhere on the page.`
Make csrf_token global (imported from commit 734d9c886c3a77d2ba40bd449cb089a00807a656) 2012-11-14 17:31:29 +01:00			`csrf_token = $('input[name="csrfmiddlewaretoken"]').attr('value');`
Get the CSRF token from the DOM rather than a cookie This simplifies the code, and lets us set the CSRF cookie as HttpOnly, which adds a little bit of security. (imported from commit 9d5923a1acf19bd27e6e1d55cf627049526de245) 2012-10-26 21:49:47 +02:00
			`$.ajaxSetup({`
			`beforeSend: function (xhr, settings) {`
			`if (!(/^http:./.test(settings.url) \|\| /^https:./.test(settings.url))) {`
			`// Only send the token to relative URLs i.e. locally.`
Make csrf_token global (imported from commit 734d9c886c3a77d2ba40bd449cb089a00807a656) 2012-11-14 17:31:29 +01:00			`xhr.setRequestHeader("X-CSRFToken", csrf_token);`
Move some early setup code (imported from commit ca57718e4a71f43bbf229d2a6e8c70174bb3583f) 2012-10-03 22:07:04 +02:00			`}`
			`}`
Get the CSRF token from the DOM rather than a cookie This simplifies the code, and lets us set the CSRF cookie as HttpOnly, which adds a little bit of security. (imported from commit 9d5923a1acf19bd27e6e1d55cf627049526de245) 2012-10-26 21:49:47 +02:00			`});`
Redirect to /accounts/login if an Ajax call fails because we aren't logged in Fixes #396. We could display an error message, but jumping right to the login page seems smoother and conveys the same information. This will discard any message being composed, but preserving it would have security consequences that we should consider further before implementing that. Hopefully, users only get logged out by an explicit action, so they can't complain too much (but see #217). (imported from commit aaa23ecf46c73e514117ae1010fc44e133f2ba07) 2012-11-21 00:16:09 +01:00
			`// For some reason, jQuery wants this to be attached to an element.`
			`$('body').ajaxError(function (event, xhr) {`
			`if (xhr.status === 401) {`
			`// We got logged out somehow, perhaps from another window or a session timeout.`
			`// We could display an error message, but jumping right to the login page seems`
			`// smoother and conveys the same information.`
			`window.location.replace('/accounts/login');`
			`}`
			`});`
Add a password strength check on the settings page (imported from commit 68ae1732e62be076a4619b522009a76215d69757) 2013-04-04 00:55:36 +02:00
Disable password change when SSO is the only login option (imported from commit fd1a14237e2d6ea574331ed178bfc0db5beb18c6) 2013-11-04 23:42:31 +01:00			`if (page_params.password_auth_enabled !== false) {`
			`// zxcvbn.js is pretty big, and is only needed on password change, so load it asynchronously.`
			`$.getScript('/static/third/zxcvbn/zxcvbn.js');`
			`}`
Move some early setup code (imported from commit ca57718e4a71f43bbf229d2a6e8c70174bb3583f) 2012-10-03 22:07:04 +02:00			`});`