From 2676e1d7130160673c408987c4aeef83f9f57b6d Mon Sep 17 00:00:00 2001 From: Marian Sigler Date: Fri, 28 Sep 2012 03:12:52 +0200 Subject: Disable csrf where user is not logged in; Show CSRF errors in forms. --- app.py | 11 +++++------ templates/_macros.html | 11 +++++++++++ templates/index.html | 1 - templates/lost_password.html | 1 - templates/lost_password_complete.html | 1 - templates/register.html | 1 - templates/register_complete.html | 1 - templates/settings.html | 4 ++-- 8 files changed, 18 insertions(+), 13 deletions(-) diff --git a/app.py b/app.py index f06eb0b..dfe3b5a 100644 --- a/app.py +++ b/app.py @@ -54,7 +54,7 @@ def template_default_context(): @templated('index.html') def index(): if not g.user: - form = LoginForm(request.form) + form = LoginForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): if login_user(form.username.data, form.password.data): flash(u'Erfolgreich eingeloggt', 'success') @@ -73,7 +73,7 @@ def index(): def register(): #TODO: check for double uids #TODO: check for double mails - form = RegisterForm(request.form) + form = RegisterForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): username = form.username.data mail = form.mail.data @@ -104,7 +104,7 @@ def register_complete(token): username, mail = http_verify_confirmation('register', token.encode('ascii'), timeout=3*24*60*60) - form = RegisterCompleteForm(request.form) + form = RegisterCompleteForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): password = form.password.data @@ -129,7 +129,7 @@ def register_complete(token): @templated('lost_password.html') @logout_required def lost_password(): - form = LostPasswordForm(request.form) + form = LostPasswordForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): #TODO: make the link only usable once (e.g include a hash of the old pw) # atm the only thing we do is make the link valid for only little time @@ -156,7 +156,7 @@ def lost_password(): def lost_password_complete(token): username, = http_verify_confirmation('lost_password', token.encode('ascii'), timeout=4*60*60) - form = RegisterCompleteForm(request.form) + form = RegisterCompleteForm(request.form, csrf_enabled=False) if request.method == 'POST' and form.validate(): user = g.ldap.get_by_uid(username) user.change_password(form.password.data) @@ -261,7 +261,6 @@ def about(): return {} - @app.route('/debug') def debug(): raise Exception() diff --git a/templates/_macros.html b/templates/_macros.html index 265584f..1608c1f 100644 --- a/templates/_macros.html +++ b/templates/_macros.html @@ -8,6 +8,17 @@ {%- endmacro %} +{% macro render_csrf(form) %} +{{ form.csrf_token }} +{%- if 'csrf_token' in form.errors %} +
+
+ {{ render_errors(form.errors.csrf_token) }} +
+
+{%- endif %} +{%- endmacro %} + {% macro render_errors(errors) %} {%- if errors|length == 1 %}
diff --git a/templates/index.html b/templates/index.html index 3e192e5..e28d126 100644 --- a/templates/index.html +++ b/templates/index.html @@ -12,7 +12,6 @@

{{ render_field(form.username, autofocus="autofocus") }} {{ render_field(form.password) }} - {{ form.csrf_token }}

Account erstellen

Passwort vergessen diff --git a/templates/lost_password.html b/templates/lost_password.html index 391af0d..0856366 100644 --- a/templates/lost_password.html +++ b/templates/lost_password.html @@ -10,7 +10,6 @@ mit dem du dir ein neues setzen kannst.

{{ render_field(form.username, autofocus="autofocus") }} - {{ form.csrf_token }}
{%- endblock %} diff --git a/templates/lost_password_complete.html b/templates/lost_password_complete.html index 21cfe1c..de59d64 100644 --- a/templates/lost_password_complete.html +++ b/templates/lost_password_complete.html @@ -13,7 +13,6 @@ {{ render_field(form.password, autofocus="autofocus") }} {{ render_field(form.password_confirm) }} - {{ form.csrf_token }}
{%- endblock %} diff --git a/templates/register.html b/templates/register.html index d8ef800..2fe562a 100644 --- a/templates/register.html +++ b/templates/register.html @@ -6,7 +6,6 @@
{{ render_field(form.username, autofocus="autofocus") }} {{ render_field(form.mail) }} - {{ form.csrf_token }}
{%- endblock %} diff --git a/templates/register_complete.html b/templates/register_complete.html index 629f9c9..1372b7f 100644 --- a/templates/register_complete.html +++ b/templates/register_complete.html @@ -19,7 +19,6 @@ {{ render_field(form.password, autofocus="autofocus") }} {{ render_field(form.password_confirm) }} - {{ form.csrf_token }}
{%- endblock %} diff --git a/templates/settings.html b/templates/settings.html index 4dacea9..3189d6a 100644 --- a/templates/settings.html +++ b/templates/settings.html @@ -1,5 +1,5 @@ {%- extends 'base.html' %} -{%- from '_macros.html' import render_field %} +{%- from '_macros.html' import render_field, render_csrf %} {%- set title = 'Einstellungen' %} {%- block content %}
@@ -7,7 +7,7 @@ {{ render_field(form.mail) }} {{ render_field(form.password) }} {{ render_field(form.password_confirm) }} - {{ form.csrf_token }} + {{ render_csrf(form) }}