From a63f137a7af962b14afa05445b58a057902572f2 Mon Sep 17 00:00:00 2001 From: Marti Raudsepp Date: Tue, 30 Oct 2012 22:24:00 +0200 Subject: [PATCH] Enable CsrfViewMiddleware -- make CSRF protection required by default Most of these forms look pretty benign, but the user profile form, which includes an SSH key field, certainly needs to be protected. --- pgweb/account/views.py | 3 --- pgweb/settings.py | 1 + templates/account/userprofileform.html | 2 +- templates/base/form.html | 2 +- templates/core/admin_mergeorg.html | 2 +- templates/core/admin_purge.html | 2 +- templates/core/community.html | 2 +- 7 files changed, 6 insertions(+), 8 deletions(-) diff --git a/pgweb/account/views.py b/pgweb/account/views.py index b76b749..19c6b55 100644 --- a/pgweb/account/views.py +++ b/pgweb/account/views.py @@ -190,10 +190,8 @@ def signup_complete(request): #### ## Community authentication endpoint #### -from django.views.decorators.csrf import csrf_protect @ssl_required -@csrf_protect def communityauth(request, siteid): # Get whatever site the user is trying to log in to. site = get_object_or_404(CommunityAuthSite, pk=siteid) @@ -257,7 +255,6 @@ def communityauth(request, siteid): @ssl_required -@csrf_protect def communityauth_logout(request, siteid): # Get whatever site the user is trying to log in to. site = get_object_or_404(CommunityAuthSite, pk=siteid) diff --git a/pgweb/settings.py b/pgweb/settings.py index 886f5bd..0742d08 100644 --- a/pgweb/settings.py +++ b/pgweb/settings.py @@ -60,6 +60,7 @@ TEMPLATE_LOADERS = ( MIDDLEWARE_CLASSES = [ 'django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', + 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'util.middleware.PgMiddleware', ] diff --git a/templates/account/userprofileform.html b/templates/account/userprofileform.html index 73fd3a6..43fe798 100644 --- a/templates/account/userprofileform.html +++ b/templates/account/userprofileform.html @@ -2,7 +2,7 @@ {%block title%}Edit user profile{%endblock%} {%block contents%}

Edit user profile

-
+{% csrf_token %} {%if form.errors%} diff --git a/templates/base/form.html b/templates/base/form.html index f00b67a..ed076dc 100644 --- a/templates/base/form.html +++ b/templates/base/form.html @@ -3,7 +3,7 @@ {%block title%}{{operation|default:"Edit"}} {{formitemtype}}{%endblock%} {%block contents%}

{{operation|default:"Edit"}} {{formitemtype}}

- +{% csrf_token %} {%if form_intro%}

{{form_intro|safe}} diff --git a/templates/core/admin_mergeorg.html b/templates/core/admin_mergeorg.html index 6adf2b1..cde62ba 100644 --- a/templates/core/admin_mergeorg.html +++ b/templates/core/admin_mergeorg.html @@ -10,7 +10,7 @@ {%block content%}

Merge organisations

- +{% csrf_token %}
{{form.as_table}}
diff --git a/templates/core/admin_purge.html b/templates/core/admin_purge.html index 1405570..d7e91f1 100644 --- a/templates/core/admin_purge.html +++ b/templates/core/admin_purge.html @@ -17,7 +17,7 @@ {%endif%} - + {% csrf_token %} URL (regex):
diff --git a/templates/core/community.html b/templates/core/community.html index 3c343ce..78ac010 100644 --- a/templates/core/community.html +++ b/templates/core/community.html @@ -18,7 +18,7 @@
User Survey
{{survey.question}}
-
+ {% csrf_token %}

{%for q in survey.questions%}
-- 1.8.0