diff options
author | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2011-04-19 14:19:10 -0400 |
---|---|---|
committer | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2011-04-19 14:19:10 -0400 |
commit | c440d4e27cd1acc5aa557ebda301cde6bc1155b8 (patch) | |
tree | 1436c50eac3165ce3ee326eed8c71d0ec1703ce5 | |
parent | 023db4c55664c77bff2b1b289841e174a1e81b80 (diff) | |
download | askbot-c440d4e27cd1acc5aa557ebda301cde6bc1155b8.tar.gz askbot-c440d4e27cd1acc5aa557ebda301cde6bc1155b8.tar.bz2 askbot-c440d4e27cd1acc5aa557ebda301cde6bc1155b8.zip |
added csrf tokens to all post forms
33 files changed, 83 insertions, 29 deletions
diff --git a/askbot/deps/django_authopenid/views.py b/askbot/deps/django_authopenid/views.py index 411f18ef..bda0e66f 100644 --- a/askbot/deps/django_authopenid/views.py +++ b/askbot/deps/django_authopenid/views.py @@ -40,6 +40,7 @@ from django.contrib.auth.models import User from django.contrib.auth.decorators import login_required from django.contrib.auth import authenticate from django.core.urlresolvers import reverse +from django.views.decorators import csrf from django.utils.encoding import smart_unicode from django.utils.html import escape from django.utils.translation import ugettext as _ @@ -258,6 +259,7 @@ def complete_oauth_signin(request): return HttpResponseRedirect(next_url) #@not_authenticated +@csrf.csrf_protect def signin( request, newquestion = False,#todo: not needed @@ -447,6 +449,7 @@ def signin( view_subtype = view_subtype ) +@csrf.csrf_protect def show_signin_view( request, login_form = None, @@ -690,6 +693,7 @@ def finalize_generic_signin( return HttpResponseRedirect(redirect_url) @not_authenticated +@csrf.csrf_protect def register(request, login_provider_name=None, user_identifier=None): """ this function is used via it's own url with request.method=POST @@ -833,6 +837,7 @@ def signin_failure(request, message): @not_authenticated @decorators.valid_password_login_provider_required +@csrf.csrf_protect def signup_with_password(request): """Create a password-protected account template: authopenid/signup_with_password.html @@ -1024,6 +1029,7 @@ def send_new_email_key(user,nomessage=False): set_email_validation_message(user) @login_required +@csrf.csrf_protect def send_email_key(request): """ url = /email/sendkey/ diff --git a/askbot/doc/source/index.rst b/askbot/doc/source/index.rst index 19d94c26..981af741 100644 --- a/askbot/doc/source/index.rst +++ b/askbot/doc/source/index.rst @@ -22,6 +22,7 @@ at the forum_ or by email at admin@askbot.org Import data (StackExchange) <import-data> Appendix A: Maintenance procedures <management-commands> Appendix B: Sending email to askbot <sending-email-to-askbot> + Apperdix C: Optional modules <optional-modules> Contributors <contributors> Some background information: Askbot is written in Python on top of the Django platform. diff --git a/askbot/doc/source/optional-modules.rst b/askbot/doc/source/optional-modules.rst new file mode 100644 index 00000000..d7ca2f24 --- /dev/null +++ b/askbot/doc/source/optional-modules.rst @@ -0,0 +1,26 @@ +================ +Optional modules +================ + +Askbot supports a number of optional modules, enabling certain features, not available +in askbot by default. + +Uploaded avatars +================ + +To enable uploadable avatars (in addition to :ref:`gravatars <gravatar>`), +please install development version of +application ``django-avatar``, with the following command: + + pip install -e git+git://github.com/ericflo/django-avatar.git#egg=django-avatar + +Then add ``avatar`` to the list of ``INSTALLED_APPS`` in your ``settings.py`` file +and run (to install database table used by the avatar app): + + python manage.py syncdb + +.. note:: + + Version of the ``avatar`` application available at pypi may not + be up to date, so please take the development version from the + github repository diff --git a/askbot/skins/default/templates/answer_edit.html b/askbot/skins/default/templates/answer_edit.html index 0dc137ae..0d8b40da 100644 --- a/askbot/skins/default/templates/answer_edit.html +++ b/askbot/skins/default/templates/answer_edit.html @@ -11,7 +11,7 @@ </h1> <div id="main-body" class="ask-body"> <div id="askform"> - <form id="fmedit" action="{% url edit_answer answer.id %}" method="post" > + <form id="fmedit" action="{% url edit_answer answer.id %}" method="post" >{% csrf_token %} <label for="id_revision" ><strong>{% trans %}revision{% endtrans %}:</strong></label> <br/> {% if revision_form.revision.errors %}{{ revision_form.revision.errors.as_ul() }}{% endif %} <div style="vertical-align:middle"> diff --git a/askbot/skins/default/templates/authopenid/changeemail.html b/askbot/skins/default/templates/authopenid/changeemail.html index 52dc6a0c..1316a048 100644 --- a/askbot/skins/default/templates/authopenid/changeemail.html +++ b/askbot/skins/default/templates/authopenid/changeemail.html @@ -21,7 +21,7 @@ <p class="error">{{ msg }}</p> {% endif %} <div class="aligned"> - <form action="." method="post" accept-charset="utf-8"> + <form action="." method="post" accept-charset="utf-8">{% csrf_token %} {% if next %} <input type="hidden" name="next" value="{{next}}"/> {% endif %} diff --git a/askbot/skins/default/templates/authopenid/complete.html b/askbot/skins/default/templates/authopenid/complete.html index ccaf753a..40ec4ccc 100644 --- a/askbot/skins/default/templates/authopenid/complete.html +++ b/askbot/skins/default/templates/authopenid/complete.html @@ -48,11 +48,11 @@ parameters: {% endif %} <div class="login"> {% if login_type=='openid' %} - <form name="fregister" action="{% url user_register %}" method="POST"> + <form name="fregister" action="{% url user_register %}" method="POST">{% csrf_token %} {% elif login_type=='facebook' %} - <form name="fregister" action="" method="POST"> + <form name="fregister" action="" method="POST">{% csrf_token %} {% else %} - <form name="fregister" action="{% url user_signin %}" method="POST"> + <form name="fregister" action="{% url user_signin %}" method="POST">{% csrf_token %} {% endif %} {{ openid_register_form.next }} <div class="form-row-vertical"> diff --git a/askbot/skins/default/templates/authopenid/signin.html b/askbot/skins/default/templates/authopenid/signin.html index aa67c95f..9316255a 100644 --- a/askbot/skins/default/templates/authopenid/signin.html +++ b/askbot/skins/default/templates/authopenid/signin.html @@ -44,7 +44,7 @@ <p class="warning">{{ openid_error_message }}</p>
{% endif %}
{% if view_subtype != 'email_sent' and view_subtype != 'bad_key' %}
- <form id="signin-form" method="post" action="{% url user_signin %}">
+ <form id="signin-form" method="post" action="{% url user_signin %}">{% csrf_token %}
{# in this branch - the real signin view we display the login icons
here we hide the local login button only if admin
wants to always show the password login form - then
@@ -157,7 +157,7 @@ {% endif %}
{% if view_subtype != 'email_sent' or view_subtype == 'bad_key' %}
{% if user.is_anonymous() %}
- <form id="account-recovery-form" action="{% url user_account_recover %}" method="post">
+ <form id="account-recovery-form" action="{% url user_account_recover %}" method="post">{% csrf_token %}
{% if view_subtype != 'bad_key' %}
<h2 id='account-recovery-heading'>{% trans %}Still have trouble signing in?{% endtrans %}</h2>
{% endif %}
diff --git a/askbot/skins/default/templates/authopenid/signup_with_password.html b/askbot/skins/default/templates/authopenid/signup_with_password.html index d85f8671..b5680806 100644 --- a/askbot/skins/default/templates/authopenid/signup_with_password.html +++ b/askbot/skins/default/templates/authopenid/signup_with_password.html @@ -8,7 +8,7 @@ {% block content %} {% if settings.PASSWORD_REGISTER_SHOW_PROVIDER_BUTTONS == True %} <h1>{% trans %}Please register by clicking on any of the icons below{% endtrans %}</h1> - <form id="signin-form" method="post" action="{% url user_signin %}"> + <form id="signin-form" method="post" action="{% url user_signin %}">{% csrf_token %} {# hide_local_login == True because it is password reg form #} {{ login_macros.provider_buttons( @@ -25,7 +25,7 @@ <h1>{% trans %}Create login name and password{% endtrans %}</h1> <p class="message">{% trans %}Traditional signup info{% endtrans %}</p> {%endif%} -<form action="{% url user_signup_with_password %}" method="post" accept-charset="utf-8"> +<form action="{% url user_signup_with_password %}" method="post" accept-charset="utf-8">{% csrf_token %} {{form.login_provider}} <ul class="form-horizontal-rows"> <li><label for="usename_id">{{form.username.label}}</label>{{form.username}}{{form.username.errors}}</li> diff --git a/askbot/skins/default/templates/avatar/add.html b/askbot/skins/default/templates/avatar/add.html index df700d0c..68a188ef 100644 --- a/askbot/skins/default/templates/avatar/add.html +++ b/askbot/skins/default/templates/avatar/add.html @@ -8,7 +8,7 @@ {% if not avatars %} <p>{% trans %}You haven't uploaded an avatar yet. Please upload one now.{% endtrans %}</p> {% endif %} - <form enctype="multipart/form-data" method="POST" action="{% url avatar_add %}"> + <form enctype="multipart/form-data" method="POST" action="{% url avatar_add %}">{% csrf_token %} {{ upload_avatar_form.as_p() }} <p><input type="submit" value="{% trans %}Upload New Image{% endtrans %}" /></p> </form> diff --git a/askbot/skins/default/templates/avatar/change.html b/askbot/skins/default/templates/avatar/change.html index 7a88ddef..7921a662 100644 --- a/askbot/skins/default/templates/avatar/change.html +++ b/askbot/skins/default/templates/avatar/change.html @@ -10,14 +10,14 @@ {% if not avatars %} <p>{% trans %}You haven't uploaded an avatar yet. Please upload one now.{% endtrans %}</p> {% else %} - <form method="POST" action="{% url avatar_change %}"> + <form method="POST" action="{% url avatar_change %}">{% csrf_token %} <ul> {{ primary_avatar_form.as_ul() }} </ul> <p><input type="submit" value="{% trans %}Choose new Default{% endtrans %}" /></p> </form> {% endif %} - <form enctype="multipart/form-data" method="POST" action="{% url avatar_add %}"> + <form enctype="multipart/form-data" method="POST" action="{% url avatar_add %}">{% csrf_token %} {{ upload_avatar_form.as_p() }} <p><input type="submit" value="{% trans %}Upload{% endtrans %}" /></p> </form> diff --git a/askbot/skins/default/templates/avatar/confirm_delete.html b/askbot/skins/default/templates/avatar/confirm_delete.html index 042d7c0d..282d72fa 100644 --- a/askbot/skins/default/templates/avatar/confirm_delete.html +++ b/askbot/skins/default/templates/avatar/confirm_delete.html @@ -6,7 +6,7 @@ {% if not avatars %} <p>{% trans avatar_change_url="avatar_change"|url %}You have no avatars to delete. Please <a href="{{ avatar_change_url }}">upload one</a> now.{% endtrans %}</p> {% else %} - <form method="POST" action="{% url avatar_delete %}"> + <form method="POST" action="{% url avatar_delete %}">{% csrf_token %} <ul> {{ delete_avatar_form.as_ul() }} </ul> diff --git a/askbot/skins/default/templates/blocks/ask_form.html b/askbot/skins/default/templates/blocks/ask_form.html index 8df6c019..9b61c7ce 100644 --- a/askbot/skins/default/templates/blocks/ask_form.html +++ b/askbot/skins/default/templates/blocks/ask_form.html @@ -1,6 +1,6 @@ {% import "macros.html" as macros %} <div id="askform"> - <form id="fmask" action="" method="post" > + <form id="fmask" action="" method="post" >{% csrf_token %} <div class="form-item"> <div id="askFormBar"> {% if not request.user.is_authenticated() %} diff --git a/askbot/skins/default/templates/close.html b/askbot/skins/default/templates/close.html index 57ff5780..d8160865 100644 --- a/askbot/skins/default/templates/close.html +++ b/askbot/skins/default/templates/close.html @@ -6,7 +6,7 @@ <p>{% trans %}Close the question{% endtrans %}: <a href="{{ question.get_absolute_url() }}"> <strong>{{ question.get_question_title() }}</strong></a> </p> - <form id="fmclose" action="{% url close question.id %}" method="post" > + <form id="fmclose" action="{% url close question.id %}" method="post" >{% csrf_token %} <p> <strong>{% trans %}Reasons{% endtrans %}:</strong> {{ form.reason }} diff --git a/askbot/skins/default/templates/feedback.html b/askbot/skins/default/templates/feedback.html index 258a85dc..d5e8b3a7 100644 --- a/askbot/skins/default/templates/feedback.html +++ b/askbot/skins/default/templates/feedback.html @@ -3,7 +3,7 @@ {% block title %}{% spaceless %}{% trans %}Feedback{% endtrans %}{% endspaceless %}{% endblock %} {% block content %} <h1>{% trans %}Give us your feedback!{% endtrans %}</h1> -<form method="post" action="{% url feedback %}" accept-charset="utf-8"> +<form method="post" action="{% url feedback %}" accept-charset="utf-8">{% csrf_token %} {% if user.is_authenticated() %} <p class="message"> {% trans user_name=user.username %} diff --git a/askbot/skins/default/templates/import_data.html b/askbot/skins/default/templates/import_data.html index 7bc370ab..affeaa73 100644 --- a/askbot/skins/default/templates/import_data.html +++ b/askbot/skins/default/templates/import_data.html @@ -18,7 +18,7 @@ Please note that feedback will be printed in plain text. {% endtrans %} </p> - <form id="load-dump-form" method="post" enctype="multipart/form-data"> + <form id="load-dump-form" method="post" enctype="multipart/form-data">{% csrf_token %} <table> {{dump_upload_form.as_table()}} </table> diff --git a/askbot/skins/default/templates/question.html b/askbot/skins/default/templates/question.html index d95fd6c0..ffab9bd1 100644 --- a/askbot/skins/default/templates/question.html +++ b/askbot/skins/default/templates/question.html @@ -304,7 +304,7 @@ {{ macros.paginator(paginator_context) }} </div><br/> {% endif %} -<form id="fmanswer" action="{% url answer question.id %}" method="post"> +<form id="fmanswer" action="{% url answer question.id %}" method="post">{% csrf_token %} {% if request.user.is_authenticated() %} <p style="padding-left:3px"> {{ answer.email_notify }} diff --git a/askbot/skins/default/templates/question_edit.html b/askbot/skins/default/templates/question_edit.html index c1a84426..6a55e58c 100644 --- a/askbot/skins/default/templates/question_edit.html +++ b/askbot/skins/default/templates/question_edit.html @@ -7,7 +7,7 @@ {% endblock %} {% block content %} <h1>{% trans %}Edit question{% endtrans %} [<a href="{{ question.get_absolute_url() }}">{% trans %}back{% endtrans %}</a>]</h1> -<form id="fmedit" action="{% url edit_question question.id %}" method="post" > +<form id="fmedit" action="{% url edit_question question.id %}" method="post" >{% csrf_token %} <label for="id_revision" ><strong>{% trans %}revision{% endtrans %}:</strong></label> <br/> {% if revision_form.revision.errors %}{{ revision_form.revision.errors.as_ul() }}{% endif %} <div style="vertical-align:middle"> diff --git a/askbot/skins/default/templates/question_retag.html b/askbot/skins/default/templates/question_retag.html index f521ccb3..79cbbbff 100644 --- a/askbot/skins/default/templates/question_retag.html +++ b/askbot/skins/default/templates/question_retag.html @@ -4,7 +4,7 @@ {% block content %} <h1>{% trans %}Change tags{% endtrans %} [<a href="{{ question.get_absolute_url() }}">{% trans %}back{% endtrans %}</a>]</h1> <div id="askform"> - <form id="fmretag" action="{% url retag_question question.id %}" method="post" > + <form id="fmretag" action="{% url retag_question question.id %}" method="post" >{% csrf_token %} <h2> {{ question.get_question_title() }} </h2> diff --git a/askbot/skins/default/templates/reopen.html b/askbot/skins/default/templates/reopen.html index 58d798a3..d68e8bdc 100644 --- a/askbot/skins/default/templates/reopen.html +++ b/askbot/skins/default/templates/reopen.html @@ -21,7 +21,7 @@ <p> {% trans %}Reopen this question?{% endtrans %} </p> -<form id="fmclose" action="{% url reopen question.id %}" method="post" > +<form id="fmclose" action="{% url reopen question.id %}" method="post" >{% csrf_token %} <div id="" style="padding:20px 0 20px 0"> <input type="submit" value="{% trans %}Reopen this question{% endtrans %}" class="submit" /> <input id="btBack" type="button" value="{% trans %}Cancel{% endtrans %}" class="submit" /> diff --git a/askbot/skins/default/templates/subscribe_for_tags.html b/askbot/skins/default/templates/subscribe_for_tags.html index 9a58ccbf..b436fb84 100644 --- a/askbot/skins/default/templates/subscribe_for_tags.html +++ b/askbot/skins/default/templates/subscribe_for_tags.html @@ -10,7 +10,7 @@ {% endfor %} </ul> <div style="clear:both;padding-top: 5px"> - <form method="post" action="{% url subscribe_for_tags %}"> + <form method="post" action="{% url subscribe_for_tags %}">{% csrf_token %} <input type="hidden" name="tags" value="{{tags|join(' ')|escape}}" /> <input type="submit" name="ok" value="{% trans %}Subscribe{% endtrans %}" /> <input type="submit" name="nope" value="{% trans %}Cancel{% endtrans %}" /> diff --git a/askbot/skins/default/templates/user_profile/user_edit.html b/askbot/skins/default/templates/user_profile/user_edit.html index 9308bf90..fe4ea35f 100644 --- a/askbot/skins/default/templates/user_profile/user_edit.html +++ b/askbot/skins/default/templates/user_profile/user_edit.html @@ -7,7 +7,7 @@ {{ request.user.username }} - {% trans %}edit profile{% endtrans %} </h1> <div id="main-body" style="width:100%;padding-top:10px"> - <form name="" action="{% url edit_user request.user.id %}" method="post"> + <form name="" action="{% url edit_user request.user.id %}" method="post">{% csrf_token %} <div id="left" style="float:left;width:180px"> {% if request.user.email %} {{ macros.gravatar(request.user, 128) }} diff --git a/askbot/skins/default/templates/user_profile/user_email_subscriptions.html b/askbot/skins/default/templates/user_profile/user_email_subscriptions.html index 896a77f0..e6a18dd3 100644 --- a/askbot/skins/default/templates/user_profile/user_email_subscriptions.html +++ b/askbot/skins/default/templates/user_profile/user_email_subscriptions.html @@ -10,7 +10,7 @@ {% if action_status %} <p class="action-status"><span>{{action_status}}</span></p> {% endif %} - <form method="post" action=""> + <form method="post" action="">{% csrf_token %} <table class='form-as-table ab-subscr-form'> {{email_feeds_form.as_table()}} </table> diff --git a/askbot/skins/default/templates/user_profile/user_moderate.html b/askbot/skins/default/templates/user_profile/user_moderate.html index b8070e50..563026a4 100644 --- a/askbot/skins/default/templates/user_profile/user_moderate.html +++ b/askbot/skins/default/templates/user_profile/user_moderate.html @@ -10,7 +10,7 @@ {% if user_status_changed %} <p class="action-status"><span>{% trans %}User status changed{% endtrans %}</span></p> {% endif %} - <form method="post"> + <form method="post">{% csrf_token %} <input type="hidden" name="sort" value="moderate"/> <table class="form-as-table"> {{ change_user_status_form.as_table() }} @@ -29,7 +29,7 @@ {% if user_rep_changed %} <p class="action-status"><span>{% trans %}User reputation changed{% endtrans %}</span></p> {% endif %} -<form method="post"> +<form method="post">{% csrf_token %} <input type="hidden" name="sort" value="moderate"/> <table class="form-as-table"> {{ change_user_reputation_form.as_table() }} @@ -44,7 +44,7 @@ {% if message_sent %} <p class="action-status"><span>{% trans %}Message sent{% endtrans %}</span></p> {% endif %} -<form method="post"> +<form method="post">{% csrf_token %} <input type="hidden" name="sort" value="moderate"/> <div class="form-row-vertical"> <label for="id_subject_line">{{ send_message_form.subject_line.label}}</label> diff --git a/askbot/upfiles/avatars/Evgeny/honda-civic-08.jpg b/askbot/upfiles/avatars/Evgeny/honda-civic-08.jpg Binary files differnew file mode 100755 index 00000000..0d582fae --- /dev/null +++ b/askbot/upfiles/avatars/Evgeny/honda-civic-08.jpg diff --git a/askbot/upfiles/avatars/Evgeny/resized/128/honda-civic-08.jpg b/askbot/upfiles/avatars/Evgeny/resized/128/honda-civic-08.jpg Binary files differnew file mode 100755 index 00000000..df57d144 --- /dev/null +++ b/askbot/upfiles/avatars/Evgeny/resized/128/honda-civic-08.jpg diff --git a/askbot/upfiles/avatars/Evgeny/resized/48/honda-civic-08.jpg b/askbot/upfiles/avatars/Evgeny/resized/48/honda-civic-08.jpg Binary files differnew file mode 100755 index 00000000..84338cde --- /dev/null +++ b/askbot/upfiles/avatars/Evgeny/resized/48/honda-civic-08.jpg diff --git a/askbot/upfiles/avatars/Evgeny/resized/80/honda-civic-08.jpg b/askbot/upfiles/avatars/Evgeny/resized/80/honda-civic-08.jpg Binary files differnew file mode 100755 index 00000000..af891116 --- /dev/null +++ b/askbot/upfiles/avatars/Evgeny/resized/80/honda-civic-08.jpg diff --git a/askbot/views/avatar_views.py b/askbot/views/avatar_views.py index ea16380d..8ac30561 100644 --- a/askbot/views/avatar_views.py +++ b/askbot/views/avatar_views.py @@ -5,6 +5,7 @@ does not support jinja templates from django.http import HttpResponseRedirect from django.template import RequestContext from django.utils.translation import ugettext as _ +from django.views.decorators import csrf from django.conf import settings from django.contrib.auth.decorators import login_required @@ -74,6 +75,7 @@ def _get_avatars(user): return (avatar, avatars) @login_required +@csrf.csrf_protect def add(request, extra_context=None, next_override=None, upload_form=UploadAvatarForm, *args, **kwargs): if extra_context is None: @@ -109,6 +111,7 @@ def add(request, extra_context=None, next_override=None, return render_into_skin('avatar/add.html', data, request) @login_required +@csrf.csrf_protect def change(request, extra_context=None, next_override=None, upload_form=UploadAvatarForm, primary_form=PrimaryAvatarForm, *args, **kwargs): @@ -150,6 +153,7 @@ def change(request, extra_context=None, next_override=None, return render_into_skin('avatar/change.html', data, request) @login_required +@csrf.csrf_protect def delete(request, extra_context=None, next_override=None, *args, **kwargs): if extra_context is None: extra_context = {} diff --git a/askbot/views/commands.py b/askbot/views/commands.py index 8d16c35f..809d4249 100644 --- a/askbot/views/commands.py +++ b/askbot/views/commands.py @@ -12,6 +12,7 @@ from django.contrib.auth.decorators import login_required from django.http import HttpResponse, HttpResponseRedirect from django.forms import ValidationError from django.shortcuts import get_object_or_404 +from django.views.decorators import csrf from django.utils import simplejson from django.utils.translation import ugettext as _ from askbot import models @@ -391,6 +392,7 @@ def get_tag_list(request): output = '\n'.join(tag_names) return HttpResponse(output, mimetype = "text/plain") +@csrf.csrf_protect def subscribe_for_tags(request): """process subscription of users by tags""" #todo - use special separator to split tags @@ -471,6 +473,7 @@ def set_tag_filter_strategy(request): @login_required +@csrf.csrf_protect def close(request, id):#close question """view to initiate and process question close @@ -500,6 +503,7 @@ def close(request, id):#close question return HttpResponseRedirect(question.get_absolute_url()) @login_required +@csrf.csrf_protect def reopen(request, id):#re-open question """view to initiate and process question close diff --git a/askbot/views/meta.py b/askbot/views/meta.py index 0e67f08f..8953200b 100644 --- a/askbot/views/meta.py +++ b/askbot/views/meta.py @@ -10,6 +10,7 @@ from django.http import HttpResponseRedirect, HttpResponse from django.core.urlresolvers import reverse from django.utils.translation import ugettext as _ from django.views import static +from django.views.decorators import csrf from django.db.models import Max, Count from askbot.forms import FeedbackForm from askbot.utils.forms import get_next_url @@ -49,6 +50,7 @@ def faq(request): } return render_into_skin('faq.html', data, request) +@csrf.csrf_protect def feedback(request): data = {'page_class': 'meta'} form = None diff --git a/askbot/views/readers.py b/askbot/views/readers.py index 20a0df58..547addec 100644 --- a/askbot/views/readers.py +++ b/askbot/views/readers.py @@ -18,6 +18,7 @@ from django.utils import simplejson from django.utils.translation import ugettext as _ from django.utils.translation import ungettext from django.utils import translation +from django.views.decorators import csrf from django.core.urlresolvers import reverse from django.core import exceptions as django_exceptions from django.contrib.humanize.templatetags import humanize @@ -354,6 +355,7 @@ def tags(request):#view showing a listing of available tags - plain list } return render_into_skin('tags.html', data, request) +@csrf.csrf_protect def question(request, id):#refactor - long subroutine. display question body, answers and comments """view that displays body of the question and all answers to it diff --git a/askbot/views/users.py b/askbot/views/users.py index 0db7124e..d96ceece 100644 --- a/askbot/views/users.py +++ b/askbot/views/users.py @@ -11,6 +11,7 @@ import functools import datetime import logging from django.db.models import Count +from django.conf import settings as django_settings from django.contrib.auth.decorators import login_required from django.core.paginator import Paginator, EmptyPage, InvalidPage from django.contrib.contenttypes.models import ContentType @@ -19,7 +20,7 @@ from django.shortcuts import get_object_or_404 from django.http import HttpResponse from django.http import HttpResponseRedirect, Http404 from django.utils.translation import ugettext as _ -from django.conf import settings as django_settings +from django.views.decorators import csrf from askbot.utils.slug import slugify from askbot.utils.html import sanitize_html from askbot.utils.mail import send_mail @@ -129,6 +130,7 @@ def users(request): } return render_into_skin('users.html', data, request) +@csrf.csrf_protect def user_moderate(request, subject): """user subview for moderation """ @@ -232,6 +234,7 @@ def set_new_email(user, new_email, nomessage=False): # send_new_email_key(user,nomessage=nomessage) @login_required +@csrf.csrf_protect def edit_user(request, id): """View that allows to edit user profile. This view is accessible to profile owners or site administrators @@ -862,6 +865,7 @@ def user_favorites(request, user): return render_into_skin('user_profile/user_favorites.html', data, request) @owner_or_moderator_required +@csrf.csrf_protect def user_email_subscriptions(request, user): logging.debug(get_request_info(request)) diff --git a/askbot/views/writers.py b/askbot/views/writers.py index 106a586d..d103c776 100644 --- a/askbot/views/writers.py +++ b/askbot/views/writers.py @@ -22,6 +22,7 @@ from django.utils.translation import ugettext as _ from django.core.urlresolvers import reverse from django.core import exceptions from django.conf import settings +from django.views.decorators import csrf from askbot import forms from askbot import models @@ -147,7 +148,7 @@ def __import_se_data(dump_file): sys.stdout = real_stdout yield '<p>Done. Please, <a href="%s">Visit Your Forum</a></p></body></html>' % reverse('index') - +@csrf.csrf_protect def import_data(request): """a view allowing the site administrator upload stackexchange data @@ -185,6 +186,7 @@ def import_data(request): return render_into_skin('import_data.html', data, request) #@login_required #actually you can post anonymously, but then must register +@csrf.csrf_protect def ask(request):#view used to ask a new question """a view to ask a new question gives space for q title, body, tags and checkbox for to post as wiki @@ -260,6 +262,7 @@ def ask(request):#view used to ask a new question return render_into_skin('ask.html', data, request) @login_required +@csrf.csrf_protect def retag_question(request, id): """retag question view """ @@ -313,6 +316,7 @@ def retag_question(request, id): return HttpResponseRedirect(question.get_absolute_url()) @login_required +@csrf.csrf_protect def edit_question(request, id): """edit question view """ @@ -398,6 +402,7 @@ def edit_question(request, id): return HttpResponseRedirect(question.get_absolute_url()) @login_required +@csrf.csrf_protect def edit_answer(request, id): answer = get_object_or_404(models.Answer, id=id) try: |