My favorites | Sign in
Project Home Wiki Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
  Advanced search   Search tips   Subscriptions

Issue 91 attachment: CSRF-1.2-style.diff (5.0 KB)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
diff -r 1097639b3aa1 -r 6beca1ba595b forum/templates/forum/newthread.html
--- a/forum/templates/forum/newthread.html Mon Oct 18 10:52:34 2010 +0200
+++ b/forum/templates/forum/newthread.html Mon Oct 18 12:12:36 2010 +0200
@@ -16,7 +16,7 @@
{% block content %}

<h2>{% trans "Create a Thread" %}</h2>
-<form method='post' action='./'>
+<form method='post' action='./'>{% csrf_token %}
{% if form.errors %}<ul>{{ form.errors.as_ul }}</ul>{% endif %}
<p><label>{% trans "Posting As" %}</label><span>{{ user.username }}</span></p>
{{ form.as_p }}
diff -r 1097639b3aa1 -r 6beca1ba595b forum/templates/forum/reply.html
--- a/forum/templates/forum/reply.html Mon Oct 18 10:52:34 2010 +0200
+++ b/forum/templates/forum/reply.html Mon Oct 18 12:12:36 2010 +0200
@@ -11,7 +11,7 @@
{% block content %}

<h2>{% trans "Reply to Thread" %}</h2>
-<form method='post' action='./'>
+<form method='post' action='./'>{% csrf_token %}
{% if form.errors %}<ul>{{ form.errors.as_ul }}</ul>{% endif %}
<p><label>{% trans "Posting As" %}</label><span>{{ user.username }}</span></p>
{{ form.as_p }}
diff -r 1097639b3aa1 -r 6beca1ba595b forum/templates/forum/thread.html
--- a/forum/templates/forum/thread.html Mon Oct 18 10:52:34 2010 +0200
+++ b/forum/templates/forum/thread.html Mon Oct 18 12:12:36 2010 +0200
@@ -36,7 +36,7 @@
<p>{% trans "Sorry, this thread is closed. No further replies are permitted." %}</p>
{% else %}
{% if user.is_authenticated %}
-<form method='post' action='reply/'>
+<form method='post' action='reply/'>{% csrf_token %}
<p><label>{% trans "Posting As" %}</label><span>{{ user.username }}</span></p>
{{ form.as_p }}
<input type='submit' value='{% trans "Submit" %}' />
diff -r 1097639b3aa1 -r 6beca1ba595b forum/templates/forum/thread_list.html
--- a/forum/templates/forum/thread_list.html Mon Oct 18 10:52:34 2010 +0200
+++ b/forum/templates/forum/thread_list.html Mon Oct 18 12:12:36 2010 +0200
@@ -68,7 +68,7 @@

<h2>{% trans "Create a Thread" %}</h2>
{% if user.is_authenticated %}
-<form method='post' action='new/'>
+<form method='post' action='new/'>{% csrf_token %}
<p><label>{% trans "Posting As" %}</label><span>{{ user.username }}</span></p>
{{ form.as_p }}
<p><input type='submit' value='{% trans "Post" %}' /></p>
diff -r 1097639b3aa1 -r 6beca1ba595b forum/templates/forum/updatesubs.html
--- a/forum/templates/forum/updatesubs.html Mon Oct 18 10:52:34 2010 +0200
+++ b/forum/templates/forum/updatesubs.html Mon Oct 18 12:12:36 2010 +0200
@@ -10,7 +10,7 @@
{% if not subs %}
<p>{% trans "No subscriptions." %}</p>
{% else %}
-<form method='post' action='./'>
+<form method='post' action='./'>{% csrf_token %}
<table id='djangoForumThreadList'>

<tr>
diff -r 1097639b3aa1 -r 6beca1ba595b forum/views.py
--- a/forum/views.py Mon Oct 18 10:52:34 2010 +0200
+++ b/forum/views.py Mon Oct 18 12:12:36 2010 +0200
@@ -15,6 +15,7 @@
from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _
from django.views.generic.list_detail import object_list
+from django.core.context_processors import csrf

from forum.models import Forum,Thread,Post,Subscription
from forum.forms import CreateThreadForm, ReplyForm
@@ -37,6 +38,8 @@
f = Forum.objects.for_groups(request.user.groups.all()).select_related().get(slug=slug)
except Forum.DoesNotExist:
raise Http404
+ c = {}
+ c.update(csrf(request))

form = CreateThreadForm()
child_forums = f.child.for_groups(request.user.groups.all())
@@ -49,6 +52,7 @@
'forum': f,
'child_forums': child_forums,
'form': form,
+ 'csrf': c,
})

def thread(request, thread):
@@ -62,6 +66,8 @@
raise Http404
except Thread.DoesNotExist:
raise Http404
+ c = {}
+ c.update(csrf(request))

p = t.post_set.select_related('author').all().order_by('time')
s = None
@@ -88,6 +94,7 @@
'thread': t,
'subscription': s,
'form': form,
+ 'csrf': c,
})

def reply(request, thread):
@@ -102,6 +109,8 @@
return HttpResponseServerError()
if not Forum.objects.has_access(t.forum, request.user.groups.all()):
return HttpResponseForbidden()
+ c = {}
+ c.update(csrf(request))

if request.method == "POST":
form = ReplyForm(request.POST)
@@ -180,6 +189,8 @@
return HttpResponseRedirect('%s?next=%s' % (LOGIN_URL, request.path))

f = get_object_or_404(Forum, slug=forum)
+ c = {}
+ c.update(csrf(request))

if not Forum.objects.has_access(f, request.user.groups.all()):
return HttpResponseForbidden()
@@ -223,6 +234,8 @@
"""
if not request.user.is_authenticated():
return HttpResponseRedirect('%s?next=%s' % (LOGIN_URL, request.path))
+ c = {}
+ c.update(csrf(request))

subs = Subscription.objects.select_related().filter(author=request.user)

Powered by Google Project Hosting