diff options
author | Marian Sigler <m@qjym.de> | 2012-09-28 03:12:52 +0200 |
---|---|---|
committer | Marian Sigler <m@qjym.de> | 2012-09-28 03:16:12 +0200 |
commit | 2676e1d7130160673c408987c4aeef83f9f57b6d (patch) | |
tree | 73937f3ae6d5d4f70157b213bdad9c65545200bc /app.py | |
parent | a9b2f0624d5f9095747e9c2a8518199375c5e815 (diff) | |
download | web-2676e1d7130160673c408987c4aeef83f9f57b6d.tar.gz web-2676e1d7130160673c408987c4aeef83f9f57b6d.tar.bz2 web-2676e1d7130160673c408987c4aeef83f9f57b6d.zip |
Disable csrf where user is not logged in; Show CSRF errors in forms.
Diffstat (limited to 'app.py')
-rw-r--r-- | app.py | 11 |
1 files changed, 5 insertions, 6 deletions
@@ -54,7 +54,7 @@ def template_default_context(): @templated('index.html') def index(): if not g.user: - form = LoginForm(request.form) + form = LoginForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): if login_user(form.username.data, form.password.data): flash(u'Erfolgreich eingeloggt', 'success') @@ -73,7 +73,7 @@ def index(): def register(): #TODO: check for double uids #TODO: check for double mails - form = RegisterForm(request.form) + form = RegisterForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): username = form.username.data mail = form.mail.data @@ -104,7 +104,7 @@ def register_complete(token): username, mail = http_verify_confirmation('register', token.encode('ascii'), timeout=3*24*60*60) - form = RegisterCompleteForm(request.form) + form = RegisterCompleteForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): password = form.password.data @@ -129,7 +129,7 @@ def register_complete(token): @templated('lost_password.html') @logout_required def lost_password(): - form = LostPasswordForm(request.form) + form = LostPasswordForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): #TODO: make the link only usable once (e.g include a hash of the old pw) # atm the only thing we do is make the link valid for only little time @@ -156,7 +156,7 @@ def lost_password(): def lost_password_complete(token): username, = http_verify_confirmation('lost_password', token.encode('ascii'), timeout=4*60*60) - form = RegisterCompleteForm(request.form) + form = RegisterCompleteForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): user = g.ldap.get_by_uid(username) user.change_password(form.password.data) @@ -261,7 +261,6 @@ def about(): return {} - @app.route('/debug') def debug(): raise Exception() |