From 2676e1d7130160673c408987c4aeef83f9f57b6d Mon Sep 17 00:00:00 2001
From: Marian Sigler <m@qjym.de>
Date: Fri, 28 Sep 2012 03:12:52 +0200
Subject: Disable csrf where user is not logged in; Show CSRF errors in forms.

---
 app.py | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'app.py')

diff --git a/app.py b/app.py
index f06eb0b..dfe3b5a 100644
--- a/app.py
+++ b/app.py
@@ -54,7 +54,7 @@ def template_default_context():
 @templated('index.html')
 def index():
     if not g.user:
-        form = LoginForm(request.form)
+        form = LoginForm(request.form, csrf_enabled=False)
         if request.method == 'POST' and form.validate():
             if login_user(form.username.data, form.password.data):
                 flash(u'Erfolgreich eingeloggt', 'success')
@@ -73,7 +73,7 @@ def index():
 def register():
     #TODO: check for double uids
     #TODO: check for double mails
-    form = RegisterForm(request.form)
+    form = RegisterForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         username = form.username.data
         mail = form.mail.data
@@ -104,7 +104,7 @@ def register_complete(token):
     username, mail = http_verify_confirmation('register', token.encode('ascii'), timeout=3*24*60*60)
 
 
-    form = RegisterCompleteForm(request.form)
+    form = RegisterCompleteForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         password = form.password.data
 
@@ -129,7 +129,7 @@ def register_complete(token):
 @templated('lost_password.html')
 @logout_required
 def lost_password():
-    form = LostPasswordForm(request.form)
+    form = LostPasswordForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         #TODO: make the link only usable once (e.g include a hash of the old pw)
         # atm the only thing we do is make the link valid for only little time
@@ -156,7 +156,7 @@ def lost_password():
 def lost_password_complete(token):
     username, = http_verify_confirmation('lost_password', token.encode('ascii'), timeout=4*60*60)
 
-    form = RegisterCompleteForm(request.form)
+    form = RegisterCompleteForm(request.form, csrf_enabled=False)
     if request.method == 'POST' and form.validate():
         user = g.ldap.get_by_uid(username)
         user.change_password(form.password.data)
@@ -261,7 +261,6 @@ def about():
     return {}
 
 
-
 @app.route('/debug')
 def debug():
     raise Exception()
-- 
cgit v1.2.3-1-g7c22