Turn secure_form into a Mako block.

This fixes the weird mismatch between secure_form living in lib and end_form living in h, and saves us from caring about what the name of the closing-tag function is. But most importantly, Mako will throw an error at compile time if you don't close the block, so forms can't dangle open.
eevee · Apr 1, 2012 · b4034fa · b4034fa
1 parent 17bd55b
commit b4034fa
Show file tree

Hide file tree

Showing 15 changed files with 53 additions and 45 deletions.
diff --git a/floof/templates/account/controls/authentication.mako b/floof/templates/account/controls/authentication.mako
@@ -7,7 +7,7 @@
 <p>${lib.icon('exclamation', 'Warning!')}
 This control is intended for use by <strong>advanced users</strong> only.</p>
 
-${lib.secure_form(request.path_url)}
+<%lib:secure_form>
 <dl class="standard-form">
     ${lib.field(form.cert_auth)}
     <dd class="standard-form-footer">
@@ -33,4 +33,4 @@ option.  Some of them are listed below.</p>
     <li>Options that require certificates will be hidden until you select
     &quot;Allow for login&quot; and authenticate with a certificate.</l1>
 </ol>
-${h.end_form()}
+</%lib:secure_form>
diff --git a/floof/templates/account/controls/browserid.mako b/floof/templates/account/controls/browserid.mako
@@ -26,11 +26,11 @@
     $(browseridOnClick('#browserid', '${request.route_path("controls.browserid.add")}'));
 </script>
 
-${lib.secure_form(request.route_url('controls.browserid.remove'))}
+<%lib:secure_form url="${request.route_url('controls.browserid.remove')}">
 <dl class="standard-form">
     ${lib.field(form.browserids)}
     <dd class="standard-form-footer">
         <button>Remove</button>
     </dd>
 </dl>
-${h.end_form()}
+</%lib:secure_form>
diff --git a/floof/templates/account/controls/certificates_add.mako b/floof/templates/account/controls/certificates_add.mako
@@ -19,7 +19,7 @@ $(document).ready(function() {
 
 <div class="clearfix">
 <div class="halfsplit left">
-    ${lib.secure_form(request.path_url)}
+    <%lib:secure_form>
     <h1 class="top-heading">Generate Certificate in Browser</h1>
     <dl class="standard-form">
         ${lib.field(browser_form.days)}
@@ -28,7 +28,7 @@ $(document).ready(function() {
             <button id="browser-gen-commit">Generate in Browser</button>
         </dd>
     </dl>
-    ${h.end_form()}
+    </%lib:secure_form>
 </div>
 <div class="halfsplit right">
     <p>This will cause your browser to generate and install a certificate
@@ -52,7 +52,7 @@ $(document).ready(function() {
 <div class="clearfix">
 <div class="halfsplit left">
     <h1>Generate Certificate on Server</h1>
-    ${lib.secure_form(request.route_url('controls.certs.generate_server', name=request.user.name))}
+    <%lib:secure_form url="${request.route_url('controls.certs.generate_server', name=request.user.name)}">
     <dl class="standard-form">
         ${lib.field(server_form.days)}
         ${lib.field(server_form.name)}
@@ -61,7 +61,7 @@ $(document).ready(function() {
             <button>Generate on Server</button>
         </dd>
     </dl>
-    ${h.end_form()}
+    </%lib:secure_form>
 </div>
 <div class="halfsplit right">
     <p>This will return a PKCS12 (.p12) certificate file for download and

diff --git a/floof/templates/account/controls/certificates_revoke.mako b/floof/templates/account/controls/certificates_revoke.mako
@@ -5,7 +5,7 @@
 ${h.friendly_serial(cert.serial)}</%def>
 <%def name="panel_icon()">${lib.icon('key--minus')}</%def>
 
-${lib.secure_form(request.path_url)}
+<%lib:secure_form>
 <p>Are you absolutely sure that you wish to <strong>permanently revoke</strong>
 the certificate below?  You will no longer be able to log in with this
 certificate.<p>
@@ -44,4 +44,4 @@ ${form.cancel()}
     <dd><pre>${cert.details}</pre></dd>
 </dl>
 
-${h.end_form()}
+</%lib:secure_form>
diff --git a/floof/templates/account/controls/openid.mako b/floof/templates/account/controls/openid.mako
@@ -5,20 +5,20 @@
 <%def name="panel_title()">OpenID Identity Settings</%def>
 <%def name="panel_icon()">${lib.icon('openid')}</%def>
 
-${lib.secure_form(request.route_url('controls.openid.add'))}
+<%lib:secure_form url="${request.route_url('controls.openid.add')}">
 <dl class="standard-form">
     ${lib.field(add_openid_form.new_openid)}
     <dd class="standard-form-footer">
         <button>Add</button>
     </dd>
 </dl>
-${h.end_form()}
+</%lib:secure_form>
 <br />
-${lib.secure_form(request.route_url('controls.openid.remove'))}
+<%lib:secure_form url="${request.route_url('controls.openid.remove')}">
 <dl class="standard-form">
     ${lib.field(remove_openid_form.openids)}
     <dd class="standard-form-footer">
         <button>Remove</button>
     </dd>
 </dl>
-${h.end_form()}
+</%lib:secure_form>
diff --git a/floof/templates/account/controls/relationships_watch.mako b/floof/templates/account/controls/relationships_watch.mako
@@ -5,7 +5,7 @@
 <%def name="panel_title()">Watch ${lib.user_link(target_user)}</%def>
 <%def name="panel_icon()">${lib.icon(u'user--plus')}</%def>
 
-${lib.secure_form(request.path_url)}
+<%lib:secure_form>
 ${h.tags.hidden(name=u'target_user', value=target_user.name)}
 <ul>
     <li><label>
@@ -31,17 +31,17 @@ ${h.tags.hidden(name=u'target_user', value=target_user.name)}
 </ul>
 
 <p><button type="submit" class="stylish-button confirm">Save</button></p>
-${h.end_form()}
+</%lib:secure_form>
 
 
 % if watch:
 <h2>Or...</h2>
-${lib.secure_form(request.route_url('controls.rels.unwatch'))}
+<%lib:secure_form url="${request.route_url('controls.rels.unwatch')}">
 ${h.tags.hidden(name=u'target_user', value=target_user.name)}
 <p>
     <label><input type="checkbox" name="confirm"> Unwatch entirely</label>
     <br>
     <button type="submit" class="stylish-button destroy">Yes, I'm sure!</button>
 </p>
-${h.end_form()}
+</%lib:secure_form>
 % endif
diff --git a/floof/templates/account/controls/user_info.mako b/floof/templates/account/controls/user_info.mako
@@ -12,7 +12,7 @@ fields = [
         ]
 %>
 
-${lib.secure_form(request.path_url)}
+<%lib:secure_form>
 <dl class="standard-form">
     % for f in fields:
         <% field = form[f] %>\
@@ -27,4 +27,4 @@ ${lib.secure_form(request.path_url)}
         <button>Update</button>
     </dd>
 </dl>
-${h.end_form()}
+</%lib:secure_form>
diff --git a/floof/templates/account/login.mako b/floof/templates/account/login.mako
@@ -34,9 +34,9 @@
     $(browseridOnClick('#browserid', '${path}'));
 </script>
 
-${lib.secure_form(request.route_url('account.register'), id='postform')}
+<%lib:secure_form url="${request.route_url('account.register')}" id="postform">
     ${h.tags.hidden('display_only', value='true')}
-${h.end_form()}
+</%lib:secure_form>
 
 <aside class="sidebar">
     <h1>How will this work?</h1>
@@ -61,15 +61,15 @@ ${h.end_form()}
 
 
 <h1>Alternative: Log in with OpenID</h1>
-${lib.secure_form(request.route_url('account.login_begin'))}
+<%lib:secure_form url="${request.route_url('account.login_begin')}">
     <div id="big-ol-openid-box">
         ${form.return_key() | n}
         <span class="text-plus-button">
             ${form.openid_identifier(id="big-ol-openid-box--field", placeholder='you@gmail.com')}<!--
             --><button>Log in</button>
         </span>
     </div>
-${h.end_form()}
+</%lib:secure_form>
 
 
 <%

diff --git a/floof/templates/account/profile.mako b/floof/templates/account/profile.mako
@@ -2,9 +2,9 @@
 <%namespace name="lib" file="/lib.mako" />
 
 <section>
-    ${lib.secure_form('')}
+    <%lib:secure_form url="">
         <textarea name="profile" rows="40" cols="120">${request.user.profile or ''}</textarea>
         <br>
         <input type="submit" value="Update">
-    ${h.end_form()}
+    </%lib:secure_form>
 </section>
diff --git a/floof/templates/account/register.mako b/floof/templates/account/register.mako
@@ -16,9 +16,9 @@
     <p>You're already logged in as ${lib.user_link(request.user)}, and you're trying to identify as <code>${identity}</code>.</p>
     <p>You can link this to your account as a secondary identity.  That way, if you lose access to your main identity, you can still log in.</p>
 
-    ${lib.secure_form(request.route_url('account.add_identity'))}
+    <%lib:secure_form url="${request.route_url('account.add_identity')}">
     <p><button>Sounds good!  Link me up</button></p>
-    ${h.end_form()}
+    </%lib:secure_form>
 
     <p>Or did you want to create an entirely new account?</p>
 </section>
@@ -37,7 +37,7 @@
     <p>Confused?  Just leave "display name" blank, and you can worry about it later.</p>
 </aside>
 
-${lib.secure_form(request.route_url('account.register'), style="overflow: hidden;")}
+<%lib:secure_form url="${request.route_url('account.register')}" style="overflow: hidden;">
 <dl class="standard-form">
     <dt>Registering from</dt>
     <dd>
@@ -55,5 +55,5 @@ ${lib.secure_form(request.route_url('account.register'), style="overflow: hidden
 
     <dd><button type="submit">OK, register!</button></dd>
 </dl>
-${h.end_form()}
+</%lib:secure_form>
 </section>
diff --git a/floof/templates/art/upload.mako b/floof/templates/art/upload.mako
@@ -14,7 +14,7 @@
         Upload
     </h1>
 
-    ${lib.secure_form(request.path_url, multipart=True, id="upload-form")}
+    <%lib:secure_form multipart="${True}" id="upload-form">
     <div class="column-container">
         <section class="column">
             <div class="upload-block state-oldmode">
@@ -66,7 +66,7 @@
                 ## TODO thing to add a new label
             </dl>
         </section>
-    ${h.end_form()}
+    </%lib:secure_form>
 </section>
 
 ## TODO i probably want to go in the base template when upload works on every

diff --git a/floof/templates/art/view.mako b/floof/templates/art/view.mako
@@ -74,14 +74,14 @@
                 <div class="rater-info"><span class="rater-num-ratings">${artwork.rating_count}</span> (<span class="rater-rating-sum">${rating_score or u'—'}</span>)</div>
                 <% rating_chars = [u'\u2b06', u'\u2022', u'\u2b07'] %>
                 % for r in range(len(rating_chars)):
-                    ${lib.secure_form(request.route_url('art.rate', artwork=artwork), class_="rater-form")}
+                    <%lib:secure_form url="${request.route_url('art.rate', artwork=artwork)}" class_="rater-form">
                         ${h.hidden(name="rating", value=(len(rating_chars) / 2 - r))}
                     % if current_rating == (len(rating_chars) / 2 - r):
                         ${h.submit(value=rating_chars[r], name="commit", disabled="disabled")}
                     % else:
                         ${h.submit(value=rating_chars[r], name="commit")}
                     % endif
-                    ${h.end_form()}
+                    </%lib:secure_form>
                 % endfor
             </noscript>
         % elif request.user:
@@ -107,13 +107,13 @@
         ('tags.remove', 'remove_tags', remove_tag_form), \
     ]:
     % if request.user.can(perm, request.context):
-    ${lib.secure_form(request.route_url('art.' + action, artwork=artwork))}
+    <%lib:secure_form url="${request.route_url('art.' + action, artwork=artwork)}">
     <p>
         ${form.tags.label()}:
         ${form.tags()}
         <button type="submit">Go</button>
     </p>
-    ${h.end_form()}
+    </%lib:secure_form>
     ${lib.field_errors(form.tags)}
     % endif
     % endfor

diff --git a/floof/templates/base.mako b/floof/templates/base.mako
@@ -40,9 +40,9 @@
                     </a>
                     <menu>
                         <li>
-                            ${lib.secure_form(request.route_url('account.logout'))}
+                            <%lib:secure_form url="${request.route_url('account.logout')}">
                                 <div><button>Log out</button></div>
-                            ${h.end_form()}
+                            </%lib:secure_form>
                         </li>
                     </menu>
                 </li>

diff --git a/floof/templates/comments/lib.mako b/floof/templates/comments/lib.mako
@@ -58,19 +58,19 @@
 </%def>
 
 <%def name="write_form(form, resource, parent_comment=None)">
-${lib.secure_form(request.route_url('comments.reply' if parent_comment else 'comments.write', resource=resource, comment=parent_comment), method='POST')}
+<%lib:secure_form url="${request.route_url('comments.reply' if parent_comment else 'comments.write', resource=resource, comment=parent_comment)}">
 <p>${form.message(rows=25, cols=80)}</p>
 <p>
     <button type="submit">POST TO INTERNET</button>
 </p>
-${h.end_form()}
+</%lib:secure_form>
 </%def>
 
 <%def name="edit_form(form, resource, comment)">
-${lib.secure_form(request.route_url('comments.edit', resource=resource, comment=comment), method='POST')}
+<%lib:secure_form url="${request.route_url('comments.edit', resource=resource, comment=comment)}">
 <p>${form.message(rows=25, cols=80)}</p>
 <p>
     <button type="submit">Save Changes</button>
 </p>
-${h.end_form()}
+</%lib:secure_form>
 </%def>
diff --git a/floof/templates/lib.mako b/floof/templates/lib.mako
@@ -91,10 +91,18 @@ ${user.display_name}</a> (${user.name})\
 </%def>
 
 
-## Standard form rendering
+#### Standard form rendering
-<%def name="secure_form(*args, **kwargs)">
+## This is a *wrapper* def; wrap your form with a <%lib:secure_form> block.
-${h.tags.form(*args, **kwargs)}
+## Default is to submit to the current page (explicitly, not via action="").
+<%def name="secure_form(url=None, **kwargs)">
+<%
+    if url is None:
+        url = request.path_url
+%>
+${h.tags.form(url=url, **kwargs)}
 ${h.tags.hidden('csrf_token', value=request.session.get_csrf_token(), id=None)}
+${caller.body()}
+${h.end_form()}
 </%def>
 
 <%def name="field(form_field, hint_text=None, **kwargs)">\