Disable csrf where user is not logged in; Show CSRF errors in forms.

author: Marian Sigler <m@qjym.de> 2012-09-28 03:12:52 +0200
committer: Marian Sigler <m@qjym.de> 2012-09-28 03:16:12 +0200
commit: 2676e1d7130160673c408987c4aeef83f9f57b6d (patch)
tree: 73937f3ae6d5d4f70157b213bdad9c65545200bc /app.py
parent: a9b2f0624d5f9095747e9c2a8518199375c5e815 (diff)
download: web-2676e1d7130160673c408987c4aeef83f9f57b6d.tar.gz
web-2676e1d7130160673c408987c4aeef83f9f57b6d.tar.bz2
web-2676e1d7130160673c408987c4aeef83f9f57b6d.zip
1 files changed, 5 insertions, 6 deletions
diff --git a/app.py b/app.py
index f06eb0b..dfe3b5a 100644
--- a/app.py
+++ b/app.py
@@ -54,7 +54,7 @@ def template_default_context():
 @templated('index.html')
 def index():
     if not g.user:
-        form = LoginForm(request.form)
+        form = LoginForm(request.form, csrf_enabled=False)
         if request.method == 'POST' and form.validate():
             if login_user(form.username.data, form.password.data):
                 flash(u'Erfolgreich eingeloggt', 'success')
@@ -73,7 +73,7 @@ def index():
 def register():
     #TODO: check for double uids
     #TODO: check for double mails
-    form = RegisterForm(request.form)
+    form = RegisterForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         username = form.username.data
         mail = form.mail.data
@@ -104,7 +104,7 @@ def register_complete(token):
     username, mail = http_verify_confirmation('register', token.encode('ascii'), timeout=3*24*60*60)
 
 
-    form = RegisterCompleteForm(request.form)
+    form = RegisterCompleteForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         password = form.password.data
 
@@ -129,7 +129,7 @@ def register_complete(token):
 @templated('lost_password.html')
 @logout_required
 def lost_password():
-    form = LostPasswordForm(request.form)
+    form = LostPasswordForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         #TODO: make the link only usable once (e.g include a hash of the old pw)
         # atm the only thing we do is make the link valid for only little time
@@ -156,7 +156,7 @@ def lost_password():
 def lost_password_complete(token):
     username, = http_verify_confirmation('lost_password', token.encode('ascii'), timeout=4*60*60)
 
-    form = RegisterCompleteForm(request.form)
+    form = RegisterCompleteForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         user = g.ldap.get_by_uid(username)
         user.change_password(form.password.data)
@@ -261,7 +261,6 @@ def about():
     return {}
 
 
-
 @app.route('/debug')
 def debug():
     raise Exception()
author	Marian Sigler <m@qjym.de>	2012-09-28 03:12:52 +0200
committer	Marian Sigler <m@qjym.de>	2012-09-28 03:16:12 +0200
commit	2676e1d7130160673c408987c4aeef83f9f57b6d (patch)
tree	73937f3ae6d5d4f70157b213bdad9c65545200bc /app.py
parent	a9b2f0624d5f9095747e9c2a8518199375c5e815 (diff)
download	web-2676e1d7130160673c408987c4aeef83f9f57b6d.tar.gz web-2676e1d7130160673c408987c4aeef83f9f57b6d.tar.bz2 web-2676e1d7130160673c408987c4aeef83f9f57b6d.zip