8 files changed, 18 insertions, 13 deletions

diff --git a/app.py b/app.py
index f06eb0b..dfe3b5a 100644
--- a/app.py
+++ b/app.py
@@ -54,7 +54,7 @@ def template_default_context():
 @templated('index.html')
 def index():
     if not g.user:
-        form = LoginForm(request.form)
+        form = LoginForm(request.form, csrf_enabled=False)
         if request.method == 'POST' and form.validate():
             if login_user(form.username.data, form.password.data):
                 flash(u'Erfolgreich eingeloggt', 'success')
@@ -73,7 +73,7 @@ def index():
 def register():
     #TODO: check for double uids
     #TODO: check for double mails
-    form = RegisterForm(request.form)
+    form = RegisterForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         username = form.username.data
         mail = form.mail.data
@@ -104,7 +104,7 @@ def register_complete(token):
     username, mail = http_verify_confirmation('register', token.encode('ascii'), timeout=3*24*60*60)
 
 
-    form = RegisterCompleteForm(request.form)
+    form = RegisterCompleteForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         password = form.password.data
 
@@ -129,7 +129,7 @@ def register_complete(token):
 @templated('lost_password.html')
 @logout_required
 def lost_password():
-    form = LostPasswordForm(request.form)
+    form = LostPasswordForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         #TODO: make the link only usable once (e.g include a hash of the old pw)
         # atm the only thing we do is make the link valid for only little time
@@ -156,7 +156,7 @@ def lost_password():
 def lost_password_complete(token):
     username, = http_verify_confirmation('lost_password', token.encode('ascii'), timeout=4*60*60)
 
-    form = RegisterCompleteForm(request.form)
+    form = RegisterCompleteForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         user = g.ldap.get_by_uid(username)
         user.change_password(form.password.data)
@@ -261,7 +261,6 @@ def about():
     return {}
 
 
-
 @app.route('/debug')
 def debug():
     raise Exception()
diff --git a/templates/_macros.html b/templates/_macros.html
index 265584f..1608c1f 100644
--- a/templates/_macros.html
+++ b/templates/_macros.html
@@ -8,6 +8,17 @@
 </div>
 {%- endmacro %}
 
+{% macro render_csrf(form) %}
+{{ form.csrf_token }}
+{%- if 'csrf_token' in form.errors %}
+<div class="control-group">
+  <div class="controls">
+    {{ render_errors(form.errors.csrf_token) }}
+  </div>
+</div>
+{%- endif %}
+{%- endmacro %}
+
 {% macro render_errors(errors) %}
   {%- if errors|length == 1 %}
   <div class="errors">
diff --git a/templates/index.html b/templates/index.html
index 3e192e5..e28d126 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -12,7 +12,6 @@
   </p>
   {{ render_field(form.username, autofocus="autofocus") }}
   {{ render_field(form.password) }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="Login" /></div>
   <p class="form-actions"><a href="/register">Account erstellen</a></div>
   <p class="form-actions"><a href="/lost_password">Passwort vergessen</a></div>
diff --git a/templates/lost_password.html b/templates/lost_password.html
index 391af0d..0856366 100644
--- a/templates/lost_password.html
+++ b/templates/lost_password.html
@@ -10,7 +10,6 @@
     mit dem du dir ein neues setzen kannst.
   </p>
   {{ render_field(form.username, autofocus="autofocus") }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="Weiter" /></div>
 </form>
 {%- endblock %}
diff --git a/templates/lost_password_complete.html b/templates/lost_password_complete.html
index 21cfe1c..de59d64 100644
--- a/templates/lost_password_complete.html
+++ b/templates/lost_password_complete.html
@@ -13,7 +13,6 @@
   </div>
   {{ render_field(form.password, autofocus="autofocus") }}
   {{ render_field(form.password_confirm) }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="Speichern" /></div>
 </form>
 {%- endblock %}
diff --git a/templates/register.html b/templates/register.html
index d8ef800..2fe562a 100644
--- a/templates/register.html
+++ b/templates/register.html
@@ -6,7 +6,6 @@
 <form action="{{ url_for('register') }}" method="post" class="form-horizontal">
   {{ render_field(form.username, autofocus="autofocus") }}
   {{ render_field(form.mail) }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="E-Mail-Adresse bestätigen" /></div>
 </form>
 {%- endblock %}
diff --git a/templates/register_complete.html b/templates/register_complete.html
index 629f9c9..1372b7f 100644
--- a/templates/register_complete.html
+++ b/templates/register_complete.html
@@ -19,7 +19,6 @@
   </div>
   {{ render_field(form.password, autofocus="autofocus") }}
   {{ render_field(form.password_confirm) }}
-  {{ form.csrf_token }}
   <div class="form-actions"><input type="submit" value="Registrieren" /></div>
 </form>
 {%- endblock %}
diff --git a/templates/settings.html b/templates/settings.html
index 4dacea9..3189d6a 100644
--- a/templates/settings.html
+++ b/templates/settings.html
@@ -1,5 +1,5 @@
 {%- extends 'base.html' %}
-{%- from '_macros.html' import render_field %}
+{%- from '_macros.html' import render_field, render_csrf %}
 {%- set title = 'Einstellungen' %}
 {%- block content %}
 <form action="{{ url_for('settings') }}" method="post" class="form-horizontal">
@@ -7,7 +7,7 @@
   {{ render_field(form.mail) }}
   {{ render_field(form.password) }}
   {{ render_field(form.password_confirm) }}
-  {{ form.csrf_token }}
+  {{ render_csrf(form) }}
   <div class="form-actions"><input type="submit" value="Speichern" name="submit_main" /></div>
 
   <!--