From 6687bc8fced2d5bbfec79d5d908f13448dd1e732 Mon Sep 17 00:00:00 2001
From: Alexander Sulfrian <alex@spline.inf.fu-berlin.de>
Date: Tue, 12 Jan 2016 03:42:21 +0100
Subject: forms: Try to disable autocomplete on forms with password fields

By default browsers (at least chrome is very agressive) try to detect forms
with password inputs and try to insert saved passwords (for example from the
login page). The default attribute to disable this (autocomplete=off) is
ignored sometimes. Therefore we add two hidden input fields, that disable
the auto filling at least in chrome.
---
 forms.py                  |  7 +++----
 templates/pad_change.html |  6 ++++++
 utils/widgets.py          | 12 ++++++++++++
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/forms.py b/forms.py
index e1dab0f..b13a5e7 100644
--- a/forms.py
+++ b/forms.py
@@ -2,12 +2,11 @@ from flask.ext.wtf import Form
 from wtforms import StringField, HiddenField, PasswordField, BooleanField, \
      validators, ValidationError
 from wtforms.ext.sqlalchemy.orm import model_form, ModelConverter
-from wtforms.widgets import PasswordInput
 
 from app import db
 from models import Group, Pad
 from utils.forms import Unique, RedirectMixin
-from utils.widgets import TextArea, Static
+from utils.widgets import TextArea, Static, PasswordInput
 
 
 CreateGroup = model_form(
@@ -50,7 +49,7 @@ _CreatePad = model_form(
             validators.Regexp('^[a-zA-Z1-9]', message=u'Pad name should not '
                 'start with a special character.')]},
         'public': {'validators': []},
-        'password': {'widget': PasswordInput()},
+        'password': {'widget': PasswordInput(autocomplete='off')},
     },
     db_session=db.session)
 
@@ -72,7 +71,7 @@ ChangePad = model_form(
     field_args={
         'name': {'widget': Static()},
         'public': {'validators': []},
-        'password': {'widget': PasswordInput()},
+        'password': {'widget': PasswordInput(autocomplete='off')},
     },
     db_session=db.session)
 
diff --git a/templates/pad_change.html b/templates/pad_change.html
index afa0633..5e46d70 100644
--- a/templates/pad_change.html
+++ b/templates/pad_change.html
@@ -19,6 +19,12 @@
 
   <div class="panel-body">
     <form class="form-horizontal" role="form" method="POST">
+      <!--
+      this will prevent chrome from filling the saved login password
+      into this form (chrome ignores autocomplete=off)
+      -->
+      <input type="text" class="hidden" /><input type="password" class="hidden" />
+
       {% for field in change_form %}
       {{ render_field(field) }}
       {% endfor %}
diff --git a/utils/widgets.py b/utils/widgets.py
index 3b65b82..4ce206f 100644
--- a/utils/widgets.py
+++ b/utils/widgets.py
@@ -20,3 +20,15 @@ class TextArea(wtforms.widgets.core.TextArea):
             if arg not in kwargs:
                 kwargs[arg] = self.kwargs[arg]
         return super(TextArea, self).__call__(field, **kwargs)
+
+
+class PasswordInput(wtforms.widgets.core.PasswordInput):
+    def __init__(self, hide_value=True, **kwargs):
+        self.kwargs = kwargs
+        super(PasswordInput, self).__init__(hide_value)
+
+    def __call__(self, field, **kwargs):
+        for arg in self.kwargs:
+            if arg not in kwargs:
+                kwargs[arg] = self.kwargs[arg]
+        return super(PasswordInput, self).__call__(field, **kwargs)
-- 
cgit v1.2.3-1-g7c22