From c440d4e27cd1acc5aa557ebda301cde6bc1155b8 Mon Sep 17 00:00:00 2001
From: Evgeny Fadeev <evgeny.fadeev@gmail.com>
Date: Tue, 19 Apr 2011 14:19:10 -0400
Subject: added csrf tokens to all post forms

---
 askbot/deps/django_authopenid/views.py             |   6 +++++
 askbot/doc/source/index.rst                        |   1 +
 askbot/doc/source/optional-modules.rst             |  26 +++++++++++++++++++++
 askbot/skins/default/templates/answer_edit.html    |   2 +-
 .../default/templates/authopenid/changeemail.html  |   2 +-
 .../default/templates/authopenid/complete.html     |   6 ++---
 .../skins/default/templates/authopenid/signin.html |   4 ++--
 .../templates/authopenid/signup_with_password.html |   4 ++--
 askbot/skins/default/templates/avatar/add.html     |   2 +-
 askbot/skins/default/templates/avatar/change.html  |   4 ++--
 .../default/templates/avatar/confirm_delete.html   |   2 +-
 .../skins/default/templates/blocks/ask_form.html   |   2 +-
 askbot/skins/default/templates/close.html          |   2 +-
 askbot/skins/default/templates/feedback.html       |   2 +-
 askbot/skins/default/templates/import_data.html    |   2 +-
 askbot/skins/default/templates/question.html       |   2 +-
 askbot/skins/default/templates/question_edit.html  |   2 +-
 askbot/skins/default/templates/question_retag.html |   2 +-
 askbot/skins/default/templates/reopen.html         |   2 +-
 .../default/templates/subscribe_for_tags.html      |   2 +-
 .../default/templates/user_profile/user_edit.html  |   2 +-
 .../user_profile/user_email_subscriptions.html     |   2 +-
 .../templates/user_profile/user_moderate.html      |   6 ++---
 askbot/upfiles/avatars/Evgeny/honda-civic-08.jpg   | Bin 0 -> 49605 bytes
 .../avatars/Evgeny/resized/128/honda-civic-08.jpg  | Bin 0 -> 3864 bytes
 .../avatars/Evgeny/resized/48/honda-civic-08.jpg   | Bin 0 -> 1283 bytes
 .../avatars/Evgeny/resized/80/honda-civic-08.jpg   | Bin 0 -> 2094 bytes
 askbot/views/avatar_views.py                       |   4 ++++
 askbot/views/commands.py                           |   4 ++++
 askbot/views/meta.py                               |   2 ++
 askbot/views/readers.py                            |   2 ++
 askbot/views/users.py                              |   6 ++++-
 askbot/views/writers.py                            |   7 +++++-
 33 files changed, 83 insertions(+), 29 deletions(-)
 create mode 100644 askbot/doc/source/optional-modules.rst
 create mode 100755 askbot/upfiles/avatars/Evgeny/honda-civic-08.jpg
 create mode 100755 askbot/upfiles/avatars/Evgeny/resized/128/honda-civic-08.jpg
 create mode 100755 askbot/upfiles/avatars/Evgeny/resized/48/honda-civic-08.jpg
 create mode 100755 askbot/upfiles/avatars/Evgeny/resized/80/honda-civic-08.jpg

diff --git a/askbot/deps/django_authopenid/views.py b/askbot/deps/django_authopenid/views.py
index 411f18ef..bda0e66f 100644
--- a/askbot/deps/django_authopenid/views.py
+++ b/askbot/deps/django_authopenid/views.py
@@ -40,6 +40,7 @@ from django.contrib.auth.models import User
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth import authenticate
 from django.core.urlresolvers import reverse
+from django.views.decorators import csrf
 from django.utils.encoding import smart_unicode
 from django.utils.html import escape
 from django.utils.translation import ugettext as _
@@ -258,6 +259,7 @@ def complete_oauth_signin(request):
         return HttpResponseRedirect(next_url)
 
 #@not_authenticated
+@csrf.csrf_protect
 def signin(
         request,
         newquestion = False,#todo: not needed
@@ -447,6 +449,7 @@ def signin(
                         view_subtype = view_subtype
                     )
 
+@csrf.csrf_protect
 def show_signin_view(
                 request,
                 login_form = None,
@@ -690,6 +693,7 @@ def finalize_generic_signin(
             return HttpResponseRedirect(redirect_url)
 
 @not_authenticated
+@csrf.csrf_protect
 def register(request, login_provider_name=None, user_identifier=None):
     """
     this function is used via it's own url with request.method=POST
@@ -833,6 +837,7 @@ def signin_failure(request, message):
 
 @not_authenticated
 @decorators.valid_password_login_provider_required
+@csrf.csrf_protect
 def signup_with_password(request):
     """Create a password-protected account
     template: authopenid/signup_with_password.html
@@ -1024,6 +1029,7 @@ def send_new_email_key(user,nomessage=False):
         set_email_validation_message(user)
 
 @login_required
+@csrf.csrf_protect
 def send_email_key(request):
     """
     url = /email/sendkey/
diff --git a/askbot/doc/source/index.rst b/askbot/doc/source/index.rst
index 19d94c26..981af741 100644
--- a/askbot/doc/source/index.rst
+++ b/askbot/doc/source/index.rst
@@ -22,6 +22,7 @@ at the forum_ or by email at admin@askbot.org
    Import data (StackExchange) <import-data>
    Appendix A: Maintenance procedures <management-commands>
    Appendix B: Sending email to askbot <sending-email-to-askbot>
+   Apperdix C: Optional modules <optional-modules>
    Contributors <contributors>
 
 Some background information: Askbot is written in Python on top of the Django platform.
diff --git a/askbot/doc/source/optional-modules.rst b/askbot/doc/source/optional-modules.rst
new file mode 100644
index 00000000..d7ca2f24
--- /dev/null
+++ b/askbot/doc/source/optional-modules.rst
@@ -0,0 +1,26 @@
+================
+Optional modules
+================
+
+Askbot supports a number of optional modules, enabling certain features, not available 
+in askbot by default.
+
+Uploaded avatars
+================
+
+To enable uploadable avatars (in addition to :ref:`gravatars <gravatar>`), 
+please install development version of
+application ``django-avatar``, with the following command:
+
+    pip install -e git+git://github.com/ericflo/django-avatar.git#egg=django-avatar
+
+Then add ``avatar`` to the list of ``INSTALLED_APPS`` in your ``settings.py`` file 
+and run (to install database table used by the avatar app):
+
+    python manage.py syncdb
+
+.. note::
+
+    Version of the ``avatar`` application available at pypi may not
+    be up to date, so please take the development version from the 
+    github repository
diff --git a/askbot/skins/default/templates/answer_edit.html b/askbot/skins/default/templates/answer_edit.html
index 0dc137ae..0d8b40da 100644
--- a/askbot/skins/default/templates/answer_edit.html
+++ b/askbot/skins/default/templates/answer_edit.html
@@ -11,7 +11,7 @@
 </h1>
 <div id="main-body" class="ask-body">
     <div id="askform">
-        <form id="fmedit" action="{% url edit_answer answer.id %}" method="post" >
+        <form id="fmedit" action="{% url edit_answer answer.id %}" method="post" >{% csrf_token %}
             <label for="id_revision" ><strong>{% trans %}revision{% endtrans %}:</strong></label> <br/> 
             {% if revision_form.revision.errors %}{{ revision_form.revision.errors.as_ul() }}{% endif %}
             <div style="vertical-align:middle">
diff --git a/askbot/skins/default/templates/authopenid/changeemail.html b/askbot/skins/default/templates/authopenid/changeemail.html
index 52dc6a0c..1316a048 100644
--- a/askbot/skins/default/templates/authopenid/changeemail.html
+++ b/askbot/skins/default/templates/authopenid/changeemail.html
@@ -21,7 +21,7 @@
     <p class="error">{{ msg }}</p>
     {% endif %}
     <div class="aligned">
-        <form action="." method="post" accept-charset="utf-8">
+        <form action="." method="post" accept-charset="utf-8">{% csrf_token %}
             {% if next %}
                 <input type="hidden" name="next" value="{{next}}"/>
             {% endif %}
diff --git a/askbot/skins/default/templates/authopenid/complete.html b/askbot/skins/default/templates/authopenid/complete.html
index ccaf753a..40ec4ccc 100644
--- a/askbot/skins/default/templates/authopenid/complete.html
+++ b/askbot/skins/default/templates/authopenid/complete.html
@@ -48,11 +48,11 @@ parameters:
     {% endif %}
     <div class="login">
         {% if login_type=='openid' %}
-        <form name="fregister" action="{% url user_register %}" method="POST">
+        <form name="fregister" action="{% url user_register %}" method="POST">{% csrf_token %}
         {% elif login_type=='facebook' %}
-        <form name="fregister" action="" method="POST">
+        <form name="fregister" action="" method="POST">{% csrf_token %}
         {% else %}
-        <form name="fregister" action="{% url user_signin %}" method="POST">
+        <form name="fregister" action="{% url user_signin %}" method="POST">{% csrf_token %}
         {% endif %}
             {{ openid_register_form.next }}
             <div class="form-row-vertical">
diff --git a/askbot/skins/default/templates/authopenid/signin.html b/askbot/skins/default/templates/authopenid/signin.html
index aa67c95f..9316255a 100644
--- a/askbot/skins/default/templates/authopenid/signin.html
+++ b/askbot/skins/default/templates/authopenid/signin.html
@@ -44,7 +44,7 @@
         <p class="warning">{{ openid_error_message }}</p>
     {% endif %}
     {% if view_subtype != 'email_sent' and view_subtype != 'bad_key' %}
-    <form id="signin-form" method="post" action="{% url user_signin %}">
+    <form id="signin-form" method="post" action="{% url user_signin %}">{% csrf_token %}
         {# in this branch - the real signin view we display the login icons
             here we hide the local login button only if admin
             wants to always show the password login form - then
@@ -157,7 +157,7 @@
     {% endif %}
     {% if view_subtype != 'email_sent' or view_subtype == 'bad_key' %}
         {% if user.is_anonymous() %}
-        <form id="account-recovery-form" action="{% url user_account_recover %}" method="post">
+        <form id="account-recovery-form" action="{% url user_account_recover %}" method="post">{% csrf_token %}
             {% if view_subtype != 'bad_key' %}
                 <h2 id='account-recovery-heading'>{% trans %}Still have trouble signing in?{% endtrans %}</h2>
             {% endif %}
diff --git a/askbot/skins/default/templates/authopenid/signup_with_password.html b/askbot/skins/default/templates/authopenid/signup_with_password.html
index d85f8671..b5680806 100644
--- a/askbot/skins/default/templates/authopenid/signup_with_password.html
+++ b/askbot/skins/default/templates/authopenid/signup_with_password.html
@@ -8,7 +8,7 @@
 {% block content %}
 {% if settings.PASSWORD_REGISTER_SHOW_PROVIDER_BUTTONS == True %}
     <h1>{% trans %}Please register by clicking on any of the icons below{% endtrans %}</h1>
-    <form id="signin-form" method="post" action="{% url user_signin %}">
+    <form id="signin-form" method="post" action="{% url user_signin %}">{% csrf_token %}
         {# hide_local_login == True because it is password reg form #}
         {{ 
             login_macros.provider_buttons(
@@ -25,7 +25,7 @@
     <h1>{% trans %}Create login name and password{% endtrans %}</h1>
     <p class="message">{% trans %}Traditional signup info{% endtrans %}</p>
 {%endif%}
-<form action="{% url user_signup_with_password %}" method="post" accept-charset="utf-8">
+<form action="{% url user_signup_with_password %}" method="post" accept-charset="utf-8">{% csrf_token %}
     {{form.login_provider}}
     <ul class="form-horizontal-rows">
     <li><label for="usename_id">{{form.username.label}}</label>{{form.username}}{{form.username.errors}}</li>
diff --git a/askbot/skins/default/templates/avatar/add.html b/askbot/skins/default/templates/avatar/add.html
index df700d0c..68a188ef 100644
--- a/askbot/skins/default/templates/avatar/add.html
+++ b/askbot/skins/default/templates/avatar/add.html
@@ -8,7 +8,7 @@
     {% if not avatars %}
         <p>{% trans %}You haven't uploaded an avatar yet. Please upload one now.{% endtrans %}</p>
     {% endif %}
-    <form enctype="multipart/form-data" method="POST" action="{% url avatar_add %}">
+    <form enctype="multipart/form-data" method="POST" action="{% url avatar_add %}">{% csrf_token %}
         {{ upload_avatar_form.as_p() }}
         <p><input type="submit" value="{% trans %}Upload New Image{% endtrans %}" /></p>
     </form>
diff --git a/askbot/skins/default/templates/avatar/change.html b/askbot/skins/default/templates/avatar/change.html
index 7a88ddef..7921a662 100644
--- a/askbot/skins/default/templates/avatar/change.html
+++ b/askbot/skins/default/templates/avatar/change.html
@@ -10,14 +10,14 @@
     {% if not avatars %}
         <p>{% trans %}You haven't uploaded an avatar yet. Please upload one now.{% endtrans %}</p>
     {% else %}
-        <form method="POST" action="{% url avatar_change %}">
+        <form method="POST" action="{% url avatar_change %}">{% csrf_token %}
             <ul>
                 {{ primary_avatar_form.as_ul() }}
             </ul>
             <p><input type="submit" value="{% trans %}Choose new Default{% endtrans %}" /></p>
         </form>
     {% endif %}
-    <form enctype="multipart/form-data" method="POST" action="{% url avatar_add %}">
+    <form enctype="multipart/form-data" method="POST" action="{% url avatar_add %}">{% csrf_token %}
         {{ upload_avatar_form.as_p() }}
         <p><input type="submit" value="{% trans %}Upload{% endtrans %}" /></p>
     </form>
diff --git a/askbot/skins/default/templates/avatar/confirm_delete.html b/askbot/skins/default/templates/avatar/confirm_delete.html
index 042d7c0d..282d72fa 100644
--- a/askbot/skins/default/templates/avatar/confirm_delete.html
+++ b/askbot/skins/default/templates/avatar/confirm_delete.html
@@ -6,7 +6,7 @@
     {% if not avatars %}
         <p>{% trans avatar_change_url="avatar_change"|url %}You have no avatars to delete. Please <a href="{{ avatar_change_url }}">upload one</a> now.{% endtrans %}</p>
     {% else %}
-        <form method="POST" action="{% url avatar_delete %}">
+        <form method="POST" action="{% url avatar_delete %}">{% csrf_token %}
             <ul>
                 {{ delete_avatar_form.as_ul() }}
             </ul>
diff --git a/askbot/skins/default/templates/blocks/ask_form.html b/askbot/skins/default/templates/blocks/ask_form.html
index 8df6c019..9b61c7ce 100644
--- a/askbot/skins/default/templates/blocks/ask_form.html
+++ b/askbot/skins/default/templates/blocks/ask_form.html
@@ -1,6 +1,6 @@
 {% import "macros.html" as macros %}
 <div id="askform">
-    <form id="fmask" action="" method="post" >
+    <form id="fmask" action="" method="post" >{% csrf_token %}
         <div class="form-item">
             <div id="askFormBar">
                 {% if not request.user.is_authenticated() %}
diff --git a/askbot/skins/default/templates/close.html b/askbot/skins/default/templates/close.html
index 57ff5780..d8160865 100644
--- a/askbot/skins/default/templates/close.html
+++ b/askbot/skins/default/templates/close.html
@@ -6,7 +6,7 @@
     <p>{% trans %}Close the question{% endtrans %}: <a href="{{ question.get_absolute_url() }}">
     <strong>{{ question.get_question_title() }}</strong></a>
     </p>
-    <form id="fmclose" action="{% url close question.id %}" method="post" >
+    <form id="fmclose" action="{% url close question.id %}" method="post" >{% csrf_token %}
         <p>
             <strong>{% trans %}Reasons{% endtrans %}:</strong>
             {{ form.reason }}
diff --git a/askbot/skins/default/templates/feedback.html b/askbot/skins/default/templates/feedback.html
index 258a85dc..d5e8b3a7 100644
--- a/askbot/skins/default/templates/feedback.html
+++ b/askbot/skins/default/templates/feedback.html
@@ -3,7 +3,7 @@
 {% block title %}{% spaceless %}{% trans %}Feedback{% endtrans %}{% endspaceless %}{% endblock %}
 {% block content %}
 <h1>{% trans %}Give us your feedback!{% endtrans %}</h1>
-<form method="post" action="{% url feedback %}" accept-charset="utf-8">
+<form method="post" action="{% url feedback %}" accept-charset="utf-8">{% csrf_token %}
     {% if user.is_authenticated() %}
         <p class="message">
         {% trans user_name=user.username %}
diff --git a/askbot/skins/default/templates/import_data.html b/askbot/skins/default/templates/import_data.html
index 7bc370ab..affeaa73 100644
--- a/askbot/skins/default/templates/import_data.html
+++ b/askbot/skins/default/templates/import_data.html
@@ -18,7 +18,7 @@
         Please note that feedback will be printed in plain text.
         {% endtrans %}
         </p>
-        <form id="load-dump-form" method="post" enctype="multipart/form-data">
+        <form id="load-dump-form" method="post" enctype="multipart/form-data">{% csrf_token %}
             <table>
             {{dump_upload_form.as_table()}}
             </table>
diff --git a/askbot/skins/default/templates/question.html b/askbot/skins/default/templates/question.html
index d95fd6c0..ffab9bd1 100644
--- a/askbot/skins/default/templates/question.html
+++ b/askbot/skins/default/templates/question.html
@@ -304,7 +304,7 @@
             {{ macros.paginator(paginator_context) }}
         </div><br/>
     {% endif %}
-<form id="fmanswer" action="{% url answer question.id %}" method="post">
+<form id="fmanswer" action="{% url answer question.id %}" method="post">{% csrf_token %}
     {% if request.user.is_authenticated() %}
         <p style="padding-left:3px">
         {{ answer.email_notify }} 
diff --git a/askbot/skins/default/templates/question_edit.html b/askbot/skins/default/templates/question_edit.html
index c1a84426..6a55e58c 100644
--- a/askbot/skins/default/templates/question_edit.html
+++ b/askbot/skins/default/templates/question_edit.html
@@ -7,7 +7,7 @@
 {% endblock %}
 {% block content %}
 <h1>{% trans %}Edit question{% endtrans %} [<a href="{{ question.get_absolute_url() }}">{% trans %}back{% endtrans %}</a>]</h1>
-<form id="fmedit" action="{% url edit_question question.id %}" method="post" >
+<form id="fmedit" action="{% url edit_question question.id %}" method="post" >{% csrf_token %}
     <label for="id_revision" ><strong>{% trans %}revision{% endtrans %}:</strong></label> <br/>
     {% if revision_form.revision.errors %}{{ revision_form.revision.errors.as_ul() }}{% endif %}
     <div style="vertical-align:middle">
diff --git a/askbot/skins/default/templates/question_retag.html b/askbot/skins/default/templates/question_retag.html
index f521ccb3..79cbbbff 100644
--- a/askbot/skins/default/templates/question_retag.html
+++ b/askbot/skins/default/templates/question_retag.html
@@ -4,7 +4,7 @@
 {% block content %}
 <h1>{% trans %}Change tags{% endtrans %} [<a href="{{ question.get_absolute_url() }}">{% trans %}back{% endtrans %}</a>]</h1>
 <div id="askform">
-    <form id="fmretag" action="{% url retag_question question.id %}" method="post" >
+    <form id="fmretag" action="{% url retag_question question.id %}" method="post" >{% csrf_token %}
         <h2>
             {{ question.get_question_title() }}
         </h2>
diff --git a/askbot/skins/default/templates/reopen.html b/askbot/skins/default/templates/reopen.html
index 58d798a3..d68e8bdc 100644
--- a/askbot/skins/default/templates/reopen.html
+++ b/askbot/skins/default/templates/reopen.html
@@ -21,7 +21,7 @@
 <p>
     {% trans %}Reopen this question?{% endtrans %}
 </p>
-<form id="fmclose" action="{% url reopen question.id %}" method="post" >
+<form id="fmclose" action="{% url reopen question.id %}" method="post" >{% csrf_token %}
     <div id="" style="padding:20px 0 20px 0">
         <input type="submit" value="{% trans %}Reopen this question{% endtrans %}" class="submit" />&nbsp;
         <input id="btBack" type="button" value="{% trans %}Cancel{% endtrans %}"  class="submit"  />
diff --git a/askbot/skins/default/templates/subscribe_for_tags.html b/askbot/skins/default/templates/subscribe_for_tags.html
index 9a58ccbf..b436fb84 100644
--- a/askbot/skins/default/templates/subscribe_for_tags.html
+++ b/askbot/skins/default/templates/subscribe_for_tags.html
@@ -10,7 +10,7 @@
     {% endfor %}
 </ul>
 <div style="clear:both;padding-top: 5px">
-    <form method="post" action="{% url subscribe_for_tags %}">
+    <form method="post" action="{% url subscribe_for_tags %}">{% csrf_token %}
         <input type="hidden" name="tags" value="{{tags|join(' ')|escape}}" />
         <input type="submit" name="ok" value="{% trans %}Subscribe{% endtrans %}" />
         <input type="submit" name="nope" value="{% trans %}Cancel{% endtrans %}" />
diff --git a/askbot/skins/default/templates/user_profile/user_edit.html b/askbot/skins/default/templates/user_profile/user_edit.html
index 9308bf90..fe4ea35f 100644
--- a/askbot/skins/default/templates/user_profile/user_edit.html
+++ b/askbot/skins/default/templates/user_profile/user_edit.html
@@ -7,7 +7,7 @@
     {{ request.user.username }} - {% trans %}edit profile{% endtrans %}
 </h1>
 <div id="main-body" style="width:100%;padding-top:10px">
-    <form name="" action="{% url edit_user request.user.id %}" method="post">
+    <form name="" action="{% url edit_user request.user.id %}" method="post">{% csrf_token %}
         <div id="left" style="float:left;width:180px">
             {% if request.user.email %}
                 {{ macros.gravatar(request.user, 128) }}
diff --git a/askbot/skins/default/templates/user_profile/user_email_subscriptions.html b/askbot/skins/default/templates/user_profile/user_email_subscriptions.html
index 896a77f0..e6a18dd3 100644
--- a/askbot/skins/default/templates/user_profile/user_email_subscriptions.html
+++ b/askbot/skins/default/templates/user_profile/user_email_subscriptions.html
@@ -10,7 +10,7 @@
     {% if action_status %}
         <p class="action-status"><span>{{action_status}}</span></p>
     {% endif %}
-    <form method="post" action=""> 
+    <form method="post" action="">{% csrf_token %}
         <table class='form-as-table ab-subscr-form'>
         {{email_feeds_form.as_table()}}
         </table>
diff --git a/askbot/skins/default/templates/user_profile/user_moderate.html b/askbot/skins/default/templates/user_profile/user_moderate.html
index b8070e50..563026a4 100644
--- a/askbot/skins/default/templates/user_profile/user_moderate.html
+++ b/askbot/skins/default/templates/user_profile/user_moderate.html
@@ -10,7 +10,7 @@
     {% if user_status_changed %}
         <p class="action-status"><span>{% trans %}User status changed{% endtrans %}</span></p>
     {% endif %}
-    <form method="post">
+    <form method="post">{% csrf_token %}
         <input type="hidden" name="sort" value="moderate"/>
         <table class="form-as-table">
         {{ change_user_status_form.as_table() }}
@@ -29,7 +29,7 @@
 {% if user_rep_changed %}
     <p class="action-status"><span>{% trans %}User reputation changed{% endtrans %}</span></p>
 {% endif %}
-<form method="post">
+<form method="post">{% csrf_token %}
     <input type="hidden" name="sort" value="moderate"/>
     <table class="form-as-table">
     {{ change_user_reputation_form.as_table() }}
@@ -44,7 +44,7 @@
     {% if message_sent %}
         <p class="action-status"><span>{% trans %}Message sent{% endtrans %}</span></p>
     {% endif %}
-<form method="post">
+<form method="post">{% csrf_token %}
     <input type="hidden" name="sort" value="moderate"/>
     <div class="form-row-vertical">
     <label for="id_subject_line">{{ send_message_form.subject_line.label}}</label>
diff --git a/askbot/upfiles/avatars/Evgeny/honda-civic-08.jpg b/askbot/upfiles/avatars/Evgeny/honda-civic-08.jpg
new file mode 100755
index 00000000..0d582fae
Binary files /dev/null and b/askbot/upfiles/avatars/Evgeny/honda-civic-08.jpg differ
diff --git a/askbot/upfiles/avatars/Evgeny/resized/128/honda-civic-08.jpg b/askbot/upfiles/avatars/Evgeny/resized/128/honda-civic-08.jpg
new file mode 100755
index 00000000..df57d144
Binary files /dev/null and b/askbot/upfiles/avatars/Evgeny/resized/128/honda-civic-08.jpg differ
diff --git a/askbot/upfiles/avatars/Evgeny/resized/48/honda-civic-08.jpg b/askbot/upfiles/avatars/Evgeny/resized/48/honda-civic-08.jpg
new file mode 100755
index 00000000..84338cde
Binary files /dev/null and b/askbot/upfiles/avatars/Evgeny/resized/48/honda-civic-08.jpg differ
diff --git a/askbot/upfiles/avatars/Evgeny/resized/80/honda-civic-08.jpg b/askbot/upfiles/avatars/Evgeny/resized/80/honda-civic-08.jpg
new file mode 100755
index 00000000..af891116
Binary files /dev/null and b/askbot/upfiles/avatars/Evgeny/resized/80/honda-civic-08.jpg differ
diff --git a/askbot/views/avatar_views.py b/askbot/views/avatar_views.py
index ea16380d..8ac30561 100644
--- a/askbot/views/avatar_views.py
+++ b/askbot/views/avatar_views.py
@@ -5,6 +5,7 @@ does not support jinja templates
 from django.http import HttpResponseRedirect
 from django.template import RequestContext
 from django.utils.translation import ugettext as _
+from django.views.decorators import csrf
 from django.conf import settings
 
 from django.contrib.auth.decorators import login_required
@@ -74,6 +75,7 @@ def _get_avatars(user):
     return (avatar, avatars)    
 
 @login_required
+@csrf.csrf_protect
 def add(request, extra_context=None, next_override=None,
         upload_form=UploadAvatarForm, *args, **kwargs):
     if extra_context is None:
@@ -109,6 +111,7 @@ def add(request, extra_context=None, next_override=None,
     return render_into_skin('avatar/add.html', data, request)
 
 @login_required
+@csrf.csrf_protect
 def change(request, extra_context=None, next_override=None,
         upload_form=UploadAvatarForm, primary_form=PrimaryAvatarForm,
         *args, **kwargs):
@@ -150,6 +153,7 @@ def change(request, extra_context=None, next_override=None,
     return render_into_skin('avatar/change.html', data, request)
 
 @login_required
+@csrf.csrf_protect
 def delete(request, extra_context=None, next_override=None, *args, **kwargs):
     if extra_context is None:
         extra_context = {}
diff --git a/askbot/views/commands.py b/askbot/views/commands.py
index 8d16c35f..809d4249 100644
--- a/askbot/views/commands.py
+++ b/askbot/views/commands.py
@@ -12,6 +12,7 @@ from django.contrib.auth.decorators import login_required
 from django.http import HttpResponse, HttpResponseRedirect
 from django.forms import ValidationError
 from django.shortcuts import get_object_or_404
+from django.views.decorators import csrf
 from django.utils import simplejson
 from django.utils.translation import ugettext as _
 from askbot import models
@@ -391,6 +392,7 @@ def get_tag_list(request):
     output = '\n'.join(tag_names)
     return HttpResponse(output, mimetype = "text/plain")
 
+@csrf.csrf_protect
 def subscribe_for_tags(request):
     """process subscription of users by tags"""
     #todo - use special separator to split tags
@@ -471,6 +473,7 @@ def set_tag_filter_strategy(request):
 
 
 @login_required
+@csrf.csrf_protect
 def close(request, id):#close question
     """view to initiate and process 
     question close
@@ -500,6 +503,7 @@ def close(request, id):#close question
         return HttpResponseRedirect(question.get_absolute_url())
 
 @login_required
+@csrf.csrf_protect
 def reopen(request, id):#re-open question
     """view to initiate and process 
     question close
diff --git a/askbot/views/meta.py b/askbot/views/meta.py
index 0e67f08f..8953200b 100644
--- a/askbot/views/meta.py
+++ b/askbot/views/meta.py
@@ -10,6 +10,7 @@ from django.http import HttpResponseRedirect, HttpResponse
 from django.core.urlresolvers import reverse
 from django.utils.translation import ugettext as _
 from django.views import static
+from django.views.decorators import csrf
 from django.db.models import Max, Count
 from askbot.forms import FeedbackForm
 from askbot.utils.forms import get_next_url
@@ -49,6 +50,7 @@ def faq(request):
     }
     return render_into_skin('faq.html', data, request)
 
+@csrf.csrf_protect
 def feedback(request):
     data = {'page_class': 'meta'}
     form = None
diff --git a/askbot/views/readers.py b/askbot/views/readers.py
index 20a0df58..547addec 100644
--- a/askbot/views/readers.py
+++ b/askbot/views/readers.py
@@ -18,6 +18,7 @@ from django.utils import simplejson
 from django.utils.translation import ugettext as _
 from django.utils.translation import ungettext
 from django.utils import translation
+from django.views.decorators import csrf
 from django.core.urlresolvers import reverse
 from django.core import exceptions as django_exceptions
 from django.contrib.humanize.templatetags import humanize
@@ -354,6 +355,7 @@ def tags(request):#view showing a listing of available tags - plain list
     }
     return render_into_skin('tags.html', data, request)
 
+@csrf.csrf_protect
 def question(request, id):#refactor - long subroutine. display question body, answers and comments
     """view that displays body of the question and 
     all answers to it
diff --git a/askbot/views/users.py b/askbot/views/users.py
index 0db7124e..d96ceece 100644
--- a/askbot/views/users.py
+++ b/askbot/views/users.py
@@ -11,6 +11,7 @@ import functools
 import datetime
 import logging
 from django.db.models import Count
+from django.conf import settings as django_settings
 from django.contrib.auth.decorators import login_required
 from django.core.paginator import Paginator, EmptyPage, InvalidPage
 from django.contrib.contenttypes.models import ContentType
@@ -19,7 +20,7 @@ from django.shortcuts import get_object_or_404
 from django.http import HttpResponse
 from django.http import HttpResponseRedirect, Http404
 from django.utils.translation import ugettext as _
-from django.conf import settings as django_settings
+from django.views.decorators import csrf
 from askbot.utils.slug import slugify
 from askbot.utils.html import sanitize_html
 from askbot.utils.mail import send_mail
@@ -129,6 +130,7 @@ def users(request):
     }
     return render_into_skin('users.html', data, request)
 
+@csrf.csrf_protect
 def user_moderate(request, subject):
     """user subview for moderation 
     """
@@ -232,6 +234,7 @@ def set_new_email(user, new_email, nomessage=False):
         #    send_new_email_key(user,nomessage=nomessage)    
 
 @login_required
+@csrf.csrf_protect
 def edit_user(request, id):
     """View that allows to edit user profile.
     This view is accessible to profile owners or site administrators
@@ -862,6 +865,7 @@ def user_favorites(request, user):
     return render_into_skin('user_profile/user_favorites.html', data, request)
 
 @owner_or_moderator_required
+@csrf.csrf_protect
 def user_email_subscriptions(request, user):
 
     logging.debug(get_request_info(request))
diff --git a/askbot/views/writers.py b/askbot/views/writers.py
index 106a586d..d103c776 100644
--- a/askbot/views/writers.py
+++ b/askbot/views/writers.py
@@ -22,6 +22,7 @@ from django.utils.translation import ugettext as _
 from django.core.urlresolvers import reverse
 from django.core import exceptions
 from django.conf import settings
+from django.views.decorators import csrf
 
 from askbot import forms
 from askbot import models
@@ -147,7 +148,7 @@ def __import_se_data(dump_file):
     sys.stdout = real_stdout
     yield '<p>Done. Please, <a href="%s">Visit Your Forum</a></p></body></html>' % reverse('index')
 
-
+@csrf.csrf_protect
 def import_data(request):
     """a view allowing the site administrator
     upload stackexchange data
@@ -185,6 +186,7 @@ def import_data(request):
     return render_into_skin('import_data.html', data, request)
 
 #@login_required #actually you can post anonymously, but then must register
+@csrf.csrf_protect
 def ask(request):#view used to ask a new question
     """a view to ask a new question
     gives space for q title, body, tags and checkbox for to post as wiki
@@ -260,6 +262,7 @@ def ask(request):#view used to ask a new question
     return render_into_skin('ask.html', data, request)
 
 @login_required
+@csrf.csrf_protect
 def retag_question(request, id):
     """retag question view
     """
@@ -313,6 +316,7 @@ def retag_question(request, id):
             return HttpResponseRedirect(question.get_absolute_url())
 
 @login_required
+@csrf.csrf_protect
 def edit_question(request, id):
     """edit question view
     """
@@ -398,6 +402,7 @@ def edit_question(request, id):
         return HttpResponseRedirect(question.get_absolute_url())
 
 @login_required
+@csrf.csrf_protect
 def edit_answer(request, id):
     answer = get_object_or_404(models.Answer, id=id)
     try:
-- 
cgit v1.2.3-1-g7c22