diff options
-rw-r--r-- | app.py | 11 | ||||
-rw-r--r-- | templates/_macros.html | 11 | ||||
-rw-r--r-- | templates/index.html | 1 | ||||
-rw-r--r-- | templates/lost_password.html | 1 | ||||
-rw-r--r-- | templates/lost_password_complete.html | 1 | ||||
-rw-r--r-- | templates/register.html | 1 | ||||
-rw-r--r-- | templates/register_complete.html | 1 | ||||
-rw-r--r-- | templates/settings.html | 4 |
8 files changed, 18 insertions, 13 deletions
@@ -54,7 +54,7 @@ def template_default_context(): @templated('index.html') def index(): if not g.user: - form = LoginForm(request.form) + form = LoginForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): if login_user(form.username.data, form.password.data): flash(u'Erfolgreich eingeloggt', 'success') @@ -73,7 +73,7 @@ def index(): def register(): #TODO: check for double uids #TODO: check for double mails - form = RegisterForm(request.form) + form = RegisterForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): username = form.username.data mail = form.mail.data @@ -104,7 +104,7 @@ def register_complete(token): username, mail = http_verify_confirmation('register', token.encode('ascii'), timeout=3*24*60*60) - form = RegisterCompleteForm(request.form) + form = RegisterCompleteForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): password = form.password.data @@ -129,7 +129,7 @@ def register_complete(token): @templated('lost_password.html') @logout_required def lost_password(): - form = LostPasswordForm(request.form) + form = LostPasswordForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): #TODO: make the link only usable once (e.g include a hash of the old pw) # atm the only thing we do is make the link valid for only little time @@ -156,7 +156,7 @@ def lost_password(): def lost_password_complete(token): username, = http_verify_confirmation('lost_password', token.encode('ascii'), timeout=4*60*60) - form = RegisterCompleteForm(request.form) + form = RegisterCompleteForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): user = g.ldap.get_by_uid(username) user.change_password(form.password.data) @@ -261,7 +261,6 @@ def about(): return {} - @app.route('/debug') def debug(): raise Exception() diff --git a/templates/_macros.html b/templates/_macros.html index 265584f..1608c1f 100644 --- a/templates/_macros.html +++ b/templates/_macros.html @@ -8,6 +8,17 @@ </div> {%- endmacro %} +{% macro render_csrf(form) %} +{{ form.csrf_token }} +{%- if 'csrf_token' in form.errors %} +<div class="control-group"> + <div class="controls"> + {{ render_errors(form.errors.csrf_token) }} + </div> +</div> +{%- endif %} +{%- endmacro %} + {% macro render_errors(errors) %} {%- if errors|length == 1 %} <div class="errors"> diff --git a/templates/index.html b/templates/index.html index 3e192e5..e28d126 100644 --- a/templates/index.html +++ b/templates/index.html @@ -12,7 +12,6 @@ </p> {{ render_field(form.username, autofocus="autofocus") }} {{ render_field(form.password) }} - {{ form.csrf_token }} <div class="form-actions"><input type="submit" value="Login" /></div> <p class="form-actions"><a href="/register">Account erstellen</a></div> <p class="form-actions"><a href="/lost_password">Passwort vergessen</a></div> diff --git a/templates/lost_password.html b/templates/lost_password.html index 391af0d..0856366 100644 --- a/templates/lost_password.html +++ b/templates/lost_password.html @@ -10,7 +10,6 @@ mit dem du dir ein neues setzen kannst. </p> {{ render_field(form.username, autofocus="autofocus") }} - {{ form.csrf_token }} <div class="form-actions"><input type="submit" value="Weiter" /></div> </form> {%- endblock %} diff --git a/templates/lost_password_complete.html b/templates/lost_password_complete.html index 21cfe1c..de59d64 100644 --- a/templates/lost_password_complete.html +++ b/templates/lost_password_complete.html @@ -13,7 +13,6 @@ </div> {{ render_field(form.password, autofocus="autofocus") }} {{ render_field(form.password_confirm) }} - {{ form.csrf_token }} <div class="form-actions"><input type="submit" value="Speichern" /></div> </form> {%- endblock %} diff --git a/templates/register.html b/templates/register.html index d8ef800..2fe562a 100644 --- a/templates/register.html +++ b/templates/register.html @@ -6,7 +6,6 @@ <form action="{{ url_for('register') }}" method="post" class="form-horizontal"> {{ render_field(form.username, autofocus="autofocus") }} {{ render_field(form.mail) }} - {{ form.csrf_token }} <div class="form-actions"><input type="submit" value="E-Mail-Adresse bestätigen" /></div> </form> {%- endblock %} diff --git a/templates/register_complete.html b/templates/register_complete.html index 629f9c9..1372b7f 100644 --- a/templates/register_complete.html +++ b/templates/register_complete.html @@ -19,7 +19,6 @@ </div> {{ render_field(form.password, autofocus="autofocus") }} {{ render_field(form.password_confirm) }} - {{ form.csrf_token }} <div class="form-actions"><input type="submit" value="Registrieren" /></div> </form> {%- endblock %} diff --git a/templates/settings.html b/templates/settings.html index 4dacea9..3189d6a 100644 --- a/templates/settings.html +++ b/templates/settings.html @@ -1,5 +1,5 @@ {%- extends 'base.html' %} -{%- from '_macros.html' import render_field %} +{%- from '_macros.html' import render_field, render_csrf %} {%- set title = 'Einstellungen' %} {%- block content %} <form action="{{ url_for('settings') }}" method="post" class="form-horizontal"> @@ -7,7 +7,7 @@ {{ render_field(form.mail) }} {{ render_field(form.password) }} {{ render_field(form.password_confirm) }} - {{ form.csrf_token }} + {{ render_csrf(form) }} <div class="form-actions"><input type="submit" value="Speichern" name="submit_main" /></div> <!-- |