diff options
author | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2013-02-26 01:07:34 -0300 |
---|---|---|
committer | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2013-02-26 01:07:34 -0300 |
commit | 7da289bd941efe3cedb4a428d83fd51f96f57899 (patch) | |
tree | 9cffa28c18702b22b2f8e9c21cdaddae48f7fc96 | |
parent | 539530acca3e43768b901648ccfb448402355267 (diff) | |
download | askbot-7da289bd941efe3cedb4a428d83fd51f96f57899.tar.gz askbot-7da289bd941efe3cedb4a428d83fd51f96f57899.tar.bz2 askbot-7da289bd941efe3cedb4a428d83fd51f96f57899.zip |
added csrf protection to the widget forms
-rw-r--r-- | askbot/templates/embed/delete_widget.html | 2 | ||||
-rw-r--r-- | askbot/templates/embed/widget_form.html | 2 | ||||
-rw-r--r-- | askbot/views/widgets.py | 3 |
3 files changed, 5 insertions, 2 deletions
diff --git a/askbot/templates/embed/delete_widget.html b/askbot/templates/embed/delete_widget.html index ed80c537..7f4be5a3 100644 --- a/askbot/templates/embed/delete_widget.html +++ b/askbot/templates/embed/delete_widget.html @@ -5,7 +5,7 @@ <h1>Are you sure that you cant to delete this {{widget_name|capitalize}}Widget?</h1> <br/> <strong>Warning: This could break the widgets on sites that currently use this widget please make sure that you don't use the widget in other sites</strong> -<form action="." method="POST"> +<form action="." method="POST">{% csrf_token %} <p><input type='submit' value='Delete' /> <a href="{% url list_widgets widget_name %}">Go Back</a></p> </form> {% endblock %} diff --git a/askbot/templates/embed/widget_form.html b/askbot/templates/embed/widget_form.html index 65128d8e..ad1562aa 100644 --- a/askbot/templates/embed/widget_form.html +++ b/askbot/templates/embed/widget_form.html @@ -6,7 +6,7 @@ {#% if form.non_field_errors() %} {{ form.non_field_errors() }} {% endif %#} -<form method="post"> +<form method="post">{% csrf_token %} <table> {{ form.as_table() }} <tr> diff --git a/askbot/views/widgets.py b/askbot/views/widgets.py index f607411d..4d7d02b2 100644 --- a/askbot/views/widgets.py +++ b/askbot/views/widgets.py @@ -157,6 +157,7 @@ def list_widgets(request, model): return render(request, 'embed/list_widgets.html', data) @decorators.admins_only +@csrf.csrf_protect def create_widget(request, model): form_class = _get_form(model) model_class = _get_model(model) @@ -175,6 +176,7 @@ def create_widget(request, model): return render(request, 'embed/widget_form.html', data) @decorators.admins_only +@csrf.csrf_protect def edit_widget(request, model, widget_id): model_class = _get_model(model) form_class = _get_form(model) @@ -214,6 +216,7 @@ def edit_widget(request, model, widget_id): return render(request, 'embed/widget_form.html', data) @decorators.admins_only +@csrf.csrf_protect def delete_widget(request, model, widget_id): model_class = _get_model(model) widget = get_object_or_404(model_class, pk=widget_id) |