Permalink
Browse files

Turn secure_form into a Mako block.

This fixes the weird mismatch between secure_form living in lib and
end_form living in h, and saves us from caring about what the name of
the closing-tag function is.

But most importantly, Mako will throw an error at compile time if you
don't close the block, so forms can't dangle open.
  • Loading branch information...
1 parent 17bd55b commit b4034fa1464e2829ced2d3670f8a1f6ff5e1df33 @eevee committed Apr 1, 2012
@@ -7,7 +7,7 @@
<p>${lib.icon('exclamation', 'Warning!')}
This control is intended for use by <strong>advanced users</strong> only.</p>
-${lib.secure_form(request.path_url)}
+<%lib:secure_form>
<dl class="standard-form">
${lib.field(form.cert_auth)}
<dd class="standard-form-footer">
@@ -33,4 +33,4 @@ option. Some of them are listed below.</p>
<li>Options that require certificates will be hidden until you select
&quot;Allow for login&quot; and authenticate with a certificate.</l1>
</ol>
-${h.end_form()}
+</%lib:secure_form>
@@ -26,11 +26,11 @@
$(browseridOnClick('#browserid', '${request.route_path("controls.browserid.add")}'));
</script>
-${lib.secure_form(request.route_url('controls.browserid.remove'))}
+<%lib:secure_form url="${request.route_url('controls.browserid.remove')}">
<dl class="standard-form">
${lib.field(form.browserids)}
<dd class="standard-form-footer">
<button>Remove</button>
</dd>
</dl>
-${h.end_form()}
+</%lib:secure_form>
@@ -19,7 +19,7 @@ $(document).ready(function() {
<div class="clearfix">
<div class="halfsplit left">
- ${lib.secure_form(request.path_url)}
+ <%lib:secure_form>
<h1 class="top-heading">Generate Certificate in Browser</h1>
<dl class="standard-form">
${lib.field(browser_form.days)}
@@ -28,7 +28,7 @@ $(document).ready(function() {
<button id="browser-gen-commit">Generate in Browser</button>
</dd>
</dl>
- ${h.end_form()}
+ </%lib:secure_form>
</div>
<div class="halfsplit right">
<p>This will cause your browser to generate and install a certificate
@@ -52,7 +52,7 @@ $(document).ready(function() {
<div class="clearfix">
<div class="halfsplit left">
<h1>Generate Certificate on Server</h1>
- ${lib.secure_form(request.route_url('controls.certs.generate_server', name=request.user.name))}
+ <%lib:secure_form url="${request.route_url('controls.certs.generate_server', name=request.user.name)}">
<dl class="standard-form">
${lib.field(server_form.days)}
${lib.field(server_form.name)}
@@ -61,7 +61,7 @@ $(document).ready(function() {
<button>Generate on Server</button>
</dd>
</dl>
- ${h.end_form()}
+ </%lib:secure_form>
</div>
<div class="halfsplit right">
<p>This will return a PKCS12 (.p12) certificate file for download and
@@ -5,7 +5,7 @@
${h.friendly_serial(cert.serial)}</%def>
<%def name="panel_icon()">${lib.icon('key--minus')}</%def>
-${lib.secure_form(request.path_url)}
+<%lib:secure_form>
<p>Are you absolutely sure that you wish to <strong>permanently revoke</strong>
the certificate below? You will no longer be able to log in with this
certificate.<p>
@@ -44,4 +44,4 @@ ${form.cancel()}
<dd><pre>${cert.details}</pre></dd>
</dl>
-${h.end_form()}
+</%lib:secure_form>
@@ -5,20 +5,20 @@
<%def name="panel_title()">OpenID Identity Settings</%def>
<%def name="panel_icon()">${lib.icon('openid')}</%def>
-${lib.secure_form(request.route_url('controls.openid.add'))}
+<%lib:secure_form url="${request.route_url('controls.openid.add')}">
<dl class="standard-form">
${lib.field(add_openid_form.new_openid)}
<dd class="standard-form-footer">
<button>Add</button>
</dd>
</dl>
-${h.end_form()}
+</%lib:secure_form>
<br />
-${lib.secure_form(request.route_url('controls.openid.remove'))}
+<%lib:secure_form url="${request.route_url('controls.openid.remove')}">
<dl class="standard-form">
${lib.field(remove_openid_form.openids)}
<dd class="standard-form-footer">
<button>Remove</button>
</dd>
</dl>
-${h.end_form()}
+</%lib:secure_form>
@@ -5,7 +5,7 @@
<%def name="panel_title()">Watch ${lib.user_link(target_user)}</%def>
<%def name="panel_icon()">${lib.icon(u'user--plus')}</%def>
-${lib.secure_form(request.path_url)}
+<%lib:secure_form>
${h.tags.hidden(name=u'target_user', value=target_user.name)}
<ul>
<li><label>
@@ -31,17 +31,17 @@ ${h.tags.hidden(name=u'target_user', value=target_user.name)}
</ul>
<p><button type="submit" class="stylish-button confirm">Save</button></p>
-${h.end_form()}
+</%lib:secure_form>
% if watch:
<h2>Or...</h2>
-${lib.secure_form(request.route_url('controls.rels.unwatch'))}
+<%lib:secure_form url="${request.route_url('controls.rels.unwatch')}">
${h.tags.hidden(name=u'target_user', value=target_user.name)}
<p>
<label><input type="checkbox" name="confirm"> Unwatch entirely</label>
<br>
<button type="submit" class="stylish-button destroy">Yes, I'm sure!</button>
</p>
-${h.end_form()}
+</%lib:secure_form>
% endif
@@ -12,7 +12,7 @@ fields = [
]
%>
-${lib.secure_form(request.path_url)}
+<%lib:secure_form>
<dl class="standard-form">
% for f in fields:
<% field = form[f] %>\
@@ -27,4 +27,4 @@ ${lib.secure_form(request.path_url)}
<button>Update</button>
</dd>
</dl>
-${h.end_form()}
+</%lib:secure_form>
@@ -34,9 +34,9 @@
$(browseridOnClick('#browserid', '${path}'));
</script>
-${lib.secure_form(request.route_url('account.register'), id='postform')}
+<%lib:secure_form url="${request.route_url('account.register')}" id="postform">
${h.tags.hidden('display_only', value='true')}
-${h.end_form()}
+</%lib:secure_form>
<aside class="sidebar">
<h1>How will this work?</h1>
@@ -61,15 +61,15 @@ ${h.end_form()}
<h1>Alternative: Log in with OpenID</h1>
-${lib.secure_form(request.route_url('account.login_begin'))}
+<%lib:secure_form url="${request.route_url('account.login_begin')}">
<div id="big-ol-openid-box">
${form.return_key() | n}
<span class="text-plus-button">
${form.openid_identifier(id="big-ol-openid-box--field", placeholder='you@gmail.com')}<!--
--><button>Log in</button>
</span>
</div>
-${h.end_form()}
+</%lib:secure_form>
<%
@@ -2,9 +2,9 @@
<%namespace name="lib" file="/lib.mako" />
<section>
- ${lib.secure_form('')}
+ <%lib:secure_form url="">
<textarea name="profile" rows="40" cols="120">${request.user.profile or ''}</textarea>
<br>
<input type="submit" value="Update">
- ${h.end_form()}
+ </%lib:secure_form>
</section>
@@ -16,9 +16,9 @@
<p>You're already logged in as ${lib.user_link(request.user)}, and you're trying to identify as <code>${identity}</code>.</p>
<p>You can link this to your account as a secondary identity. That way, if you lose access to your main identity, you can still log in.</p>
- ${lib.secure_form(request.route_url('account.add_identity'))}
+ <%lib:secure_form url="${request.route_url('account.add_identity')}">
<p><button>Sounds good! Link me up</button></p>
- ${h.end_form()}
+ </%lib:secure_form>
<p>Or did you want to create an entirely new account?</p>
</section>
@@ -37,7 +37,7 @@
<p>Confused? Just leave "display name" blank, and you can worry about it later.</p>
</aside>
-${lib.secure_form(request.route_url('account.register'), style="overflow: hidden;")}
+<%lib:secure_form url="${request.route_url('account.register')}" style="overflow: hidden;">
<dl class="standard-form">
<dt>Registering from</dt>
<dd>
@@ -55,5 +55,5 @@ ${lib.secure_form(request.route_url('account.register'), style="overflow: hidden
<dd><button type="submit">OK, register!</button></dd>
</dl>
-${h.end_form()}
+</%lib:secure_form>
</section>
@@ -14,7 +14,7 @@
Upload
</h1>
- ${lib.secure_form(request.path_url, multipart=True, id="upload-form")}
+ <%lib:secure_form multipart="${True}" id="upload-form">
<div class="column-container">
<section class="column">
<div class="upload-block state-oldmode">
@@ -66,7 +66,7 @@
## TODO thing to add a new label
</dl>
</section>
- ${h.end_form()}
+ </%lib:secure_form>
</section>
## TODO i probably want to go in the base template when upload works on every
@@ -74,14 +74,14 @@
<div class="rater-info"><span class="rater-num-ratings">${artwork.rating_count}</span> (<span class="rater-rating-sum">${rating_score or u''}</span>)</div>
<% rating_chars = [u'\u2b06', u'\u2022', u'\u2b07'] %>
% for r in range(len(rating_chars)):
- ${lib.secure_form(request.route_url('art.rate', artwork=artwork), class_="rater-form")}
+ <%lib:secure_form url="${request.route_url('art.rate', artwork=artwork)}" class_="rater-form">
${h.hidden(name="rating", value=(len(rating_chars) / 2 - r))}
% if current_rating == (len(rating_chars) / 2 - r):
${h.submit(value=rating_chars[r], name="commit", disabled="disabled")}
% else:
${h.submit(value=rating_chars[r], name="commit")}
% endif
- ${h.end_form()}
+ </%lib:secure_form>
% endfor
</noscript>
% elif request.user:
@@ -107,13 +107,13 @@
('tags.remove', 'remove_tags', remove_tag_form), \
]:
% if request.user.can(perm, request.context):
- ${lib.secure_form(request.route_url('art.' + action, artwork=artwork))}
+ <%lib:secure_form url="${request.route_url('art.' + action, artwork=artwork)}">
<p>
${form.tags.label()}:
${form.tags()}
<button type="submit">Go</button>
</p>
- ${h.end_form()}
+ </%lib:secure_form>
${lib.field_errors(form.tags)}
% endif
% endfor
@@ -40,9 +40,9 @@
</a>
<menu>
<li>
- ${lib.secure_form(request.route_url('account.logout'))}
+ <%lib:secure_form url="${request.route_url('account.logout')}">
<div><button>Log out</button></div>
- ${h.end_form()}
+ </%lib:secure_form>
</li>
</menu>
</li>
@@ -58,19 +58,19 @@
</%def>
<%def name="write_form(form, resource, parent_comment=None)">
-${lib.secure_form(request.route_url('comments.reply' if parent_comment else 'comments.write', resource=resource, comment=parent_comment), method='POST')}
+<%lib:secure_form url="${request.route_url('comments.reply' if parent_comment else 'comments.write', resource=resource, comment=parent_comment)}">
<p>${form.message(rows=25, cols=80)}</p>
<p>
<button type="submit">POST TO INTERNET</button>
</p>
-${h.end_form()}
+</%lib:secure_form>
</%def>
<%def name="edit_form(form, resource, comment)">
-${lib.secure_form(request.route_url('comments.edit', resource=resource, comment=comment), method='POST')}
+<%lib:secure_form url="${request.route_url('comments.edit', resource=resource, comment=comment)}">
<p>${form.message(rows=25, cols=80)}</p>
<p>
<button type="submit">Save Changes</button>
</p>
-${h.end_form()}
+</%lib:secure_form>
</%def>
View
@@ -91,10 +91,18 @@ ${user.display_name}</a> (${user.name})\
</%def>
-## Standard form rendering
-<%def name="secure_form(*args, **kwargs)">
-${h.tags.form(*args, **kwargs)}
+#### Standard form rendering
+## This is a *wrapper* def; wrap your form with a <%lib:secure_form> block.
+## Default is to submit to the current page (explicitly, not via action="").
+<%def name="secure_form(url=None, **kwargs)">
+<%
+ if url is None:
+ url = request.path_url
+%>
+${h.tags.form(url=url, **kwargs)}
${h.tags.hidden('csrf_token', value=request.session.get_csrf_token(), id=None)}
+${caller.body()}
+${h.end_form()}
</%def>
<%def name="field(form_field, hint_text=None, **kwargs)">\

0 comments on commit b4034fa

Please sign in to comment.