Disable csrf where user is not logged in; Show CSRF errors in forms.

7 files changed, 13 insertions, 7 deletions

diff --git a/templates/_macros.html b/templates/_macros.html
index 265584f..1608c1f 100644
--- a/templates/_macros.html
+++ b/templates/_macros.html
@@ -8,6 +8,17 @@
 </div>
 {%- endmacro %}
 
+{% macro render_csrf(form) %}
+{{ form.csrf_token }}
+{%- if 'csrf_token' in form.errors %}
+<div class="control-group">
+  <div class="controls">
+    {{ render_errors(form.errors.csrf_token) }}
+  </div>
+</div>
+{%- endif %}
+{%- endmacro %}
+
 {% macro render_errors(errors) %}
   {%- if errors|length == 1 %}
   <div class="errors">
diff --git a/templates/index.html b/templates/index.html
index 3e192e5..e28d126 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -12,7 +12,6 @@
   </p>
   {{ render_field(form.username, autofocus="autofocus") }}
   {{ render_field(form.password) }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="Login" /></div>
   <p class="form-actions"><a href="/register">Account erstellen</a></div>
   <p class="form-actions"><a href="/lost_password">Passwort vergessen</a></div>
diff --git a/templates/lost_password.html b/templates/lost_password.html
index 391af0d..0856366 100644
--- a/templates/lost_password.html
+++ b/templates/lost_password.html
@@ -10,7 +10,6 @@
     mit dem du dir ein neues setzen kannst.
   </p>
   {{ render_field(form.username, autofocus="autofocus") }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="Weiter" /></div>
 </form>
 {%- endblock %}
diff --git a/templates/lost_password_complete.html b/templates/lost_password_complete.html
index 21cfe1c..de59d64 100644
--- a/templates/lost_password_complete.html
+++ b/templates/lost_password_complete.html
@@ -13,7 +13,6 @@
   </div>
   {{ render_field(form.password, autofocus="autofocus") }}
   {{ render_field(form.password_confirm) }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="Speichern" /></div>
 </form>
 {%- endblock %}
diff --git a/templates/register.html b/templates/register.html
index d8ef800..2fe562a 100644
--- a/templates/register.html
+++ b/templates/register.html
@@ -6,7 +6,6 @@
 <form action="{{ url_for('register') }}" method="post" class="form-horizontal">
   {{ render_field(form.username, autofocus="autofocus") }}
   {{ render_field(form.mail) }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="E-Mail-Adresse bestätigen" /></div>
 </form>
 {%- endblock %}
diff --git a/templates/register_complete.html b/templates/register_complete.html
index 629f9c9..1372b7f 100644
--- a/templates/register_complete.html
+++ b/templates/register_complete.html
@@ -19,7 +19,6 @@
   </div>
   {{ render_field(form.password, autofocus="autofocus") }}
   {{ render_field(form.password_confirm) }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="Registrieren" /></div>
 </form>
 {%- endblock %}
diff --git a/templates/settings.html b/templates/settings.html
index 4dacea9..3189d6a 100644
--- a/templates/settings.html
+++ b/templates/settings.html
@@ -1,5 +1,5 @@
 {%- extends 'base.html' %}
-{%- from '_macros.html' import render_field %}
+{%- from '_macros.html' import render_field, render_csrf %}
 {%- set title = 'Einstellungen' %}
 {%- block content %}
 <form action="{{ url_for('settings') }}" method="post" class="form-horizontal">
@@ -7,7 +7,7 @@
   {{ render_field(form.mail) }}
   {{ render_field(form.password) }}
   {{ render_field(form.password_confirm) }}
-  {{ form.csrf_token }}
+  {{ render_csrf(form) }}
   <div class="form-actions"><input type="submit" value="Speichern" name="submit_main" /></div>
 
   <!--