Skip to content

Commit

Permalink
refactor: CSRF cleanup.
Browse files Browse the repository at this point in the history
  • Loading branch information
@sfermigier
sfermigier committed Jan 11, 2018
1 parent b02cae5 commit 89588a5
Show file tree
Hide file tree
Showing 31 changed files with 92 additions and 122 deletions.
2 changes: 1 addition & 1 deletion abilian/sbe/apps/communities/templates/community/members.html
View file
Expand Up @@ -89,7 +89,7 @@ <h2 class="members-title">{{ _("Add a member") }}</h2>

<div id="add-user-role" role="dialog">
<form method="POST" class="form-inline" enctype="multipart/form-data" role="form">
{{ csrf_token }}
{{ csrf.field() }}

<div class="form-group">
<label for="user-select">{{ _('User') }}</label>
Expand Down
4 changes: 2 additions & 2 deletions abilian/sbe/apps/communities/templates/community/members_std_macros.html
View file
Expand Up @@ -74,7 +74,7 @@
<td>
<form action="{{ url_for('.members_post', community_id=g.community.slug) }}" method="POST"
style="display: inline;">
{{ csrf_token }}
{{ csrf.field() }}
<input type="hidden" name="user" value="{{ user.id }}"/>
<input type="hidden" name="action" value="set-user-role"/>
<select onchange="this.form.submit();" id="role-select" name="role" class="form-control" style="width: auto;">
Expand All @@ -87,7 +87,7 @@
<td>
<form action="{{ url_for(".members_post", community_id=g.community.slug) }}"
method="POST" style="display: inline;">
{{ csrf_token }}
{{ csrf.field() }}
<input type="hidden" name="membership" value="{{ m_id }}">
<input type="hidden" name="user" value="{{ user.id }}">
<button style="position: relative;left: 4.5px;" type="submit" name="action" value="delete"
Expand Down
5 changes: 3 additions & 2 deletions abilian/sbe/apps/communities/templates/community/wizard_add_emails.html
View file
Expand Up @@ -72,12 +72,13 @@ <h4 class="sous_titre col-sm-offset-4"> {{ _("Insert or import new members into
<div class="col-lg-6 col-md-offset-3">
<form id="csv_form" method="post" action="{{ url_for('.wizard_check_data',community_id=g.community.slug) }}"
enctype="multipart/form-data">
{{ csrf_token }}
{{ csrf.field() }}
<input style="display:none;" type="file" id="csv_file" class="file-add form-control col-sm-2" name="csv_file">
</form>

<form method="POST" class="form-inline"
action=" {{ url_for('.wizard_check_data',community_id=g.community.slug) }}">
{{ csrf_token }}
{{ csrf.field() }}
<input id="wizard-emails" type="hidden" name="wizard-emails" value="">
<br>
<br>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/communities/templates/community/wizard_check_members.html
View file
Expand Up @@ -74,7 +74,7 @@ <h6 class=" sous_titre_step2">

<form method="POST" class="form-inline wizard-form"
action=" {{ url_for('.wizard_new_accounts',community_id=g.community.slug) }}">
{{ csrf_token }}
{{ csrf.field() }}
<input id="wizard-emails" type="hidden" name="wizard-emails" value="{{ wizard_emails }}">
</form>

Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/communities/templates/community/wizard_new_accounts.html
View file
Expand Up @@ -102,7 +102,7 @@ <h6 class="sous_titre_step2">

<form method="POST" id="wizard-form" class="form-inline"
action=" {{ url_for('.wizard_saving',community_id=g.community.slug) }}">
{{ csrf_token }}
{{ csrf.field() }}
<input id="existing_account" type="hidden" name="existing_account" value="{{ existing_account }}">
<input id="new_accounts" type="hidden" name="new_accounts" value='{{ new_accounts|tojson }}'>
</form>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/communities/templates/community/wizard_users_std_macros.html
View file
Expand Up @@ -68,7 +68,7 @@
<td style="padding-top: 11px;padding-left: 10px;">
<form action="{{ url_for(".members_post", community_id=g.community.slug) }}"
method="POST" style="display: inline;">
{{ csrf_token }}
{{ csrf.field() }}
<input type="hidden" name="user" value="{{ user.id }}"/>
<input type="hidden" name="action" value="set-user-role"/>
<select onchange="role_change(this)" id="{{ user.email }}" name="role" class="form-control role-change"
Expand Down
14 changes: 7 additions & 7 deletions abilian/sbe/apps/communities/views/views.py
View file
Expand Up @@ -350,13 +350,13 @@ def members():
community_threads_users = [thread.creator for thread in g.community.threads]
threads_count = Counter(community_threads_users)

return render_template(
"community/members.html",
seconds_since_epoch=seconds_since_epoch,
is_manager=is_manager(user=current_user),
memberships=memberships,
threads_count=threads_count,
csrf_token=csrf.field())
ctx = {
'seconds_since_epoch': seconds_since_epoch,
'is_manager': is_manager(user=current_user),
'memberships': memberships,
'threads_count': threads_count,
}
return render_template("community/members.html", **ctx)


@route("/<string:community_id>/members", methods=["POST"])
Expand Down
19 changes: 9 additions & 10 deletions abilian/sbe/apps/communities/views/wizard.py
View file
Expand Up @@ -146,8 +146,7 @@ def wizard_data_insertion():
url=Endpoint('communities.members', community_id=g.community.slug)),
)

return render_template(
"community/wizard_add_emails.html", csrf_token=csrf.field())
return render_template("community/wizard_add_emails.html")


@route("/<string:community_id>/members/wizard/step2", methods=['GET', 'POST'])
Expand Down Expand Up @@ -191,13 +190,13 @@ def wizard_check_data():
return redirect(
url_for(".wizard_data_insertion", community_id=g.community.slug))

return render_template(
"community/wizard_check_members.html",
existing_accounts_object=existing_accounts_object,
csv_roles=existing_accounts_csv_roles if is_csv else False,
wizard_emails=final_email_list_json,
existing_members_objects=existing_members_objects,
csrf_token=csrf.field())
ctx = {
'existing_accounts_object': existing_accounts_object,
'csv_roles': existing_accounts_csv_roles if is_csv else False,
'wizard_emails': final_email_list_json,
'existing_members_objects': existing_members_objects
}
return render_template("community/wizard_check_members.html", **ctx)


@route("/<string:community_id>/members/wizard/step3", methods=['GET', 'POST'])
Expand Down Expand Up @@ -234,7 +233,7 @@ def wizard_new_accounts():
"community/wizard_new_accounts.html",
existing_account=existing_account,
new_accounts=new_accounts,
csrf_token=csrf.field())
)


@route("/<string:community_id>/members/wizard/complete", methods=['POST'])
Expand Down
6 changes: 3 additions & 3 deletions abilian/sbe/apps/documents/templates/documents/_macros.html
View file
Expand Up @@ -25,7 +25,7 @@
{%- if objects %}
<form action="{{ url_for('.change_view_style', folder_id=folder.id, community_id=folder.community.slug) }}"
method="POST">
{{ csrf_token }}
{{ csrf.field() }}
<div style="float:right;margin-left: 12px;position: relative;
top: -65px;" class="btn-group" role="group" aria-label="...">
<button type="submit" class="btn btn-default" name="view_style" value="thumbnail_view"><span
Expand All @@ -36,7 +36,7 @@
</form>

<form name="folder-listing" style="margin-bottom: 0;" method="POST">
{{ csrf_token }}
{{ csrf.field() }}
{%- if edit %}
<div class="btn-toolbar" style="margin-bottom: 0;">
<div class="btn-group" style="margin-right: 20px;display:none;">
Expand Down Expand Up @@ -279,7 +279,7 @@
</form>

<form id="folder_content_download" action="" method="post">
{{ csrf_token }}
{{ csrf.field() }}
<button class="document-folder-download" id="document-folder-download"
style="margin-top: 1px;margin-bottom:0px;display:none;" name="action" value="download" title="Download"><i
class="fa fa-download" aria-hidden="true"></i> {{ _('Download') }}</button>
Expand Down
12 changes: 6 additions & 6 deletions abilian/sbe/apps/documents/templates/documents/_macros_gallery_view.html
View file
Expand Up @@ -21,7 +21,7 @@
{%- if objects %}
<form action="{{ url_for('.change_view_style', folder_id=folder.id, community_id=folder.community.slug) }}"
method="POST">
{{ csrf_token }}
{{ csrf.field() }}
<div style="float:right;margin-left: 12px;position: relative;
top: -65px;" class="btn-group" role="group" aria-label="...">
<button type="submit" class="btn btn-default" name="view_style" value="thumbnail_view"><span
Expand All @@ -32,7 +32,7 @@
</form>

<form name="folder-listing" style="margin-bottom: 0;" method="POST">
{{ csrf_token }}
{{ csrf.field() }}
{%- if edit %}
<div class="btn-toolbar" style="margin-bottom: 0;">
<div class="btn-group" style="margin-right: 20px;display:none;">
Expand Down Expand Up @@ -221,7 +221,7 @@
</script>

<form id="folder_content_download" action="" method="post">
{{ csrf_token }}
{{ csrf.field() }}
<button class="document-folder-download" id="document-folder-download"
style="margin-top: 1px; margin-bottom:0; display:none;"
name="action" value="download" title="Download"><i
Expand All @@ -231,11 +231,11 @@
</form>

<form id="folder_content_delete" action="" method="post">
{{ csrf_token }}
{{ csrf.field() }}
<button class="document-folder-download" id="folder-delete"
style="margin-top: 1px; margin-bottom:0; display:none;"
name="action" value="delete" title="Download"><i
class="fa fa-download" aria-hidden="true"></i>
name="action" value="delete" title="Download"
><i class="fa fa-download" aria-hidden="true"></i>
{{ _('Delete') }}
</button>
</form>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_document_delete.html
View file
Expand Up @@ -7,7 +7,7 @@
<form id="modal-delete-document"
action="{{ url_for('.document_delete', doc_id=doc.id, community_id=doc.community.slug) }}"
method="POST">
{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_document_edit.html
View file
Expand Up @@ -8,7 +8,7 @@
action="{{ url_for('.document_edit', doc_id=doc.id,folder_id=folder.id, community_id=doc.community.slug) }}"
enctype="multipart/form-data">

{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_document_send_by_email.html
View file
Expand Up @@ -8,7 +8,7 @@
<form id="modal-email-form"
action=''
method="POST">
{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_document_upload_new_version.html
View file
Expand Up @@ -9,7 +9,7 @@
<form id="fileupload" class="modal-replacedoc-form"
action=""
method="POST" enctype="multipart/form-data">
{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_folder_change_owner.html
View file
Expand Up @@ -4,7 +4,7 @@

<form method="POST" action="{{ folder_post_url }}"
enctype="multipart/form-data">
{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_folder_delete.html
View file
Expand Up @@ -7,7 +7,7 @@
<form id="modal-delete-folders"
action="{{ url_for('.document_delete', doc_id=doc.id, community_id=doc.community.slug) }}"
method="POST">
{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_folder_edit.html
View file
Expand Up @@ -6,7 +6,7 @@
<div class="modal-content">
<form id="modal-editfolder-form" method="POST" action="{{ folder_post_url }}"
enctype="multipart/form-data" role="form">
{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_folder_move.html
View file
Expand Up @@ -2,7 +2,7 @@
<div class="modal-dialog">
<div class="modal-content">
<form method="POST" id="modal-folder-move" action="{{ folder_post_url }}" enctype="multipart/form-data">
{{ csrf_token }}
{{ csrf.field() }}
<div class="modal-header">{{ _("Move files or documents") }}</div>

<div id="modal-move-files-directory-listing" class="modal-body">
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_folder_new.html
View file
Expand Up @@ -4,7 +4,7 @@

<form method="POST" action="{{ folder_post_url }}"
enctype="multipart/form-data">
{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/_modals_folder_upload.html
View file
Expand Up @@ -3,7 +3,7 @@
<div class="modal-content">
<form method="POST" class="b-upload b-upload_multi"
action="{{ folder_post_url }}" enctype="multipart/form-data">
{{ csrf_token }}
{{ csrf.field() }}

<div class="modal-header">
<button class="close" data-dismiss="modal">&times;</button>
Expand Down
4 changes: 2 additions & 2 deletions abilian/sbe/apps/documents/templates/documents/_modals_roles.html
View file
Expand Up @@ -6,7 +6,7 @@
<form method="POST" class="form-horizontal"
action="{{ url_for(".permissions_update", folder_id=folder.id, community_id=folder.community.slug) }}"
enctype="multipart/form-data">
{{ csrf_token }}
{{ csrf.field() }}
<input type="hidden" name="action" value="add-group-role"/>

<div class="modal-header">
Expand Down Expand Up @@ -63,7 +63,7 @@ <h4 class="modal-title">{{ _("Add a local role for a group") }}</h4>
<form method="POST" class="form-horizontal"
action="{{ url_for(".permissions_update", folder_id=folder.id, community_id=folder.community.slug) }}"
enctype="multipart/form-data">
{{ csrf_token }}
{{ csrf.field() }}
<input type="hidden" name="action" value="add-user-role"/>

<div class="modal-header">
Expand Down
2 changes: 1 addition & 1 deletion abilian/sbe/apps/documents/templates/documents/document.html
View file
Expand Up @@ -120,7 +120,7 @@ <h2>
<form id="document_checkout"
action="{{ url_for('.checkin_checkout', doc_id=doc.id, community_id=doc.community.slug) }}"
method="POST" target="_new">
{{ csrf_token }}
{{ csrf.field() }}
{% if doc.lock == None %}
<input type="hidden" name="action" value="checkout"/>
<a style="color: #262626;position: relative;left: 8px;text-decoration: none;" type="submit"
Expand Down
8 changes: 4 additions & 4 deletions abilian/sbe/apps/documents/templates/documents/permissions.html
View file
Expand Up @@ -6,7 +6,7 @@
{% macro m_users_table(users_and_roles, controls) %}
{% set table_id = uuid() %}
<form method="POST">
{{ csrf_token }}
{{ csrf.field() }}
<table class="table table-condensed table-striped" id="{{ table_id }}">
<thead>
<tr>
Expand Down Expand Up @@ -83,7 +83,7 @@
{% macro m_groups_table(groups_and_roles, controls) %}
{% set table_id = uuid() %}
<form method="POST">
{{ csrf_token }}
{{ csrf.field() }}
<table class="table table-condensed table-striped" id="{{ table_id }}">
<thead>
<tr>
Expand Down Expand Up @@ -254,15 +254,15 @@ <h3 class="main">{{ _("Audit Log") }}</h3>

Abilian.fn.onAppInit(function () {
$("#deactivate_inheritance").click(function () {
var form = $('<form>{{ csrf_token }}<input type="text" name="action" value="deactivate_inheritance" /></form>');
var form = $('<form>{{ csrf.field() }}<input type="text" name="action" value="deactivate_inheritance" /></form>');
form.attr("method", "post");
form.attr("action", "{{ request.path }}");
$(document.body).append(form);
form.submit();
});

$("#activate_inheritance").click(function () {
var form = $('<form>{{ csrf_token }}<input type="text" name="action" value="activate_inheritance" /></form>');
var form = $('<form>{{ csrf.field() }}<input type="text" name="action" value="activate_inheritance" /></form>');
form.attr("method", "post");
form.attr("action", "{{ request.path }}");
$(document.body).append(form);
Expand Down
33 changes: 16 additions & 17 deletions abilian/sbe/apps/documents/views/documents.py
View file
Expand Up @@ -62,14 +62,14 @@ def document_view(doc_id):
audit_entries = audit_service.entries_for(doc)
viewtracker.record_hit(entity=doc, user=current_user)

ctx = dict(
doc=doc,
audit_entries=audit_entries,
breadcrumbs=bc,
folder=doc.parent,
has_preview=has_preview,
csrf_token=csrf.field(),
viewers=object_viewers(doc))
ctx = {
'doc': doc,
'audit_entries': audit_entries,
'breadcrumbs': bc,
'folder': doc.parent,
'has_preview': has_preview,
'viewers': object_viewers(doc),
}
return render_template("documents/document.html", **ctx)


Expand Down Expand Up @@ -115,15 +115,14 @@ def document_viewers(doc_id):
has_preview = doc.has_preview()
audit_entries = audit_service.entries_for(doc)

ctx = dict(
doc=doc,
audit_entries=audit_entries,
breadcrumbs=bc,
folder=doc.parent,
has_preview=has_preview,
csrf_token=csrf.field(),
viewers=object_viewers(doc))

ctx = {
'doc': doc,
'audit_entries': audit_entries,
'breadcrumbs': bc,
'folder': doc.parent,
'has_preview': has_preview,
'viewers': object_viewers(doc),
}
return render_template("documents/document_viewers.html", **ctx)


Expand Down

0 comments on commit 89588a5

Please sign in to comment.