FIX: improve how we track page visits #28
Conversation
arpitjalan
force-pushed
the
improve-tracking
branch
from
e2be797 to
a8a3446
Compare
| class PageVisitsController < ::ApplicationController | ||
| requires_plugin PLUGIN_NAME | ||
|
|
||
| skip_before_action :verify_authenticity_token, only: [:create] |
There was a problem hiding this comment.
I think we still want this still. As far as I can tell it's possible to add the X-CSRF-Token header in sendBeacon.
Here is where Core injects the header
https://github.com/discourse/discourse/blob/9bb15488bdcf2c2a976249d23c5c809f3c52ba73/frontend/discourse/app/instance-initializers/csrf-token.js#L24
The Ajax library has an exported function for ensuring we have a valid token - https://github.com/discourse/discourse/blob/9bb15488bdcf2c2a976249d23c5c809f3c52ba73/frontend/discourse/app/lib/ajax.js#L49-L57
You can see how it's used in various places:
https://github.com/discourse/discourse/blob/9bb15488bdcf2c2a976249d23c5c809f3c52ba73/frontend/discourse/app/lib/uppy/uppy-upload.js#L497
There was a problem hiding this comment.
Excellent feedback, thank you! I just pushed another commit to add CSRF token to verify authenticity.
https://meta.discourse.org/t/investigating-the-page-visits-table-and-page-visit-related-questions/386914/60