Browse files

More CSRF hardening for the internet-login and internet-disown views.

  • Loading branch information...
1 parent 360e8d6 commit 00797bae3413f13e363e8a1dd6cd6abbfd5e8620 @micolous committed Jun 20, 2012
View
14 tollgate/frontend/templates/frontend/internet.html
@@ -53,12 +53,14 @@
<th>First Seen</th>
</tr>
{% for host in hosts %}
- <tr class="{% cycle row1,row2 %}">
- <td>{{ host.computer_name }}</td>
- <td><a href="{% url 'internet-login' host.mac_address %}" title="Log in this host"><img src="{{ STATIC_URL }}tollgate/console_icons/{{ host.vendor }}.png" alt="{{ host.vendor }} " title="{{ host.vendor }}" class="cs"/><code>{{ host.mac_address }}</code></a></td>
- <td><code><a href="{% url 'internet-login' host.mac_address %}" title="Log in this host">{{ host.ip_address }}</a></code></td>
- <td><abbr title="{{ host.first_connection|naturalday }} at {{ host.first_connection|time }}">{{ host.first_connection|timesince }} ago</abbr></td>
- </tr>
+ <form method="post" action="{% url 'internet-login' host.mac_address %}">{% csrf_token %}
+ <tr class="{% cycle row1,row2 %}">
+ <td>{{ host.computer_name }}</td>
+ <td><img src="{{ STATIC_URL }}tollgate/console_icons/{{ host.vendor }}.png" alt="{{ host.vendor }} " title="{{ host.vendor }}" class="cs"/><input type="submit" value="{{ host.mac_address }}"/></td>
+ <td><input type="submit" value="{{ host.ip_address }}"/></td>
+ <td><abbr title="{{ host.first_connection|naturalday }} at {{ host.first_connection|time }}">{{ host.first_connection|timesince }} ago</abbr></td>
+ </tr>
+ </form>
{% endfor %}
</table>
View
28 tollgate/frontend/templates/frontend/quota.html
@@ -195,19 +195,21 @@
<th>Disown/Disconnect</th>
</tr>
{% for host in my_hosts %}
- <tr class="{% cycle row1,row2 %}">
- <td>{{ host.computer_name }}</td>
- <td><img src="{{ STATIC_URL }}tollgate/console_icons/{{ host.vendor }}.png" alt="{{ host.vendor }} " title="{{ host.vendor }}" class="cs"/><code>{{ host.mac_address }}</code></td>
- <td><code>{{ host.ip_address }}</code></td>
- <td>
- {% if host.online %}
- <span class="yes">Yes</span>
- {% else %}
- <span class="no">No</span>
- {% endif %}
- </td>
- <td><a href="{% url 'internet-disown' host.id %}" title="This will make it so the computer is no longer marked as owned by you, disconnecting it from the internet">Disown Computer</a></td>
- </tr>
+ <form method="post" action="{% url 'internet-disown' host.id %}">{% csrf_token %}
+ <tr class="{% cycle row1,row2 %}">
+ <td>{{ host.computer_name }}</td>
+ <td><img src="{{ STATIC_URL }}tollgate/console_icons/{{ host.vendor }}.png" alt="{{ host.vendor }} " title="{{ host.vendor }}" class="cs"/><code>{{ host.mac_address }}</code></td>
+ <td><code>{{ host.ip_address }}</code></td>
+ <td>
+ {% if host.online %}
+ <span class="yes">Yes</span>
+ {% else %}
+ <span class="no">No</span>
+ {% endif %}
+ </td>
+ <td><input type="submit" value="Disown Computer" title="This will make it so the computer is no longer marked as owned by you, disconnecting it from the internet"/></td>
+ </tr>
+ </form>
{% endfor %}
</table>
View
28 tollgate/frontend/templates/frontend/usage-info.html
@@ -121,19 +121,21 @@
<th>Disown/Disconnect</th>
</tr>
{% for host in a.user_profile.get_hosts %}
- <tr class="{% cycle row1,row2 %}">
- <td>{{ host.computer_name }}</td>
- <td><img src="{{ STATIC_URL }}tollgate/console_icons/{{ host.vendor }}.png" alt="{{ host.vendor }} " title="{{ host.vendor }}" class="cs"/><code>{{ host.mac_address }}</code></td>
- <td><code>{{ host.ip_address }}</code></td>
- <td>
- {% if host.online %}
- <span class="yes">Yes</span>
- {% else %}
- <span class="no">No</span>
- {% endif %}
- </td>
- <td><a href="{% url 'internet-disown' host.id %}" title="This will make it so the computer is no longer marked as owned by the user, disconnecting it from the internet">Disown Computer</a></td>
- </tr>
+ <form method="post" action="{% url 'internet-disown' host.id %}">{% csrf_token %}
+ <tr class="{% cycle row1,row2 %}">
+ <td>{{ host.computer_name }}</td>
+ <td><img src="{{ STATIC_URL }}tollgate/console_icons/{{ host.vendor }}.png" alt="{{ host.vendor }} " title="{{ host.vendor }}" class="cs"/><code>{{ host.mac_address }}</code></td>
+ <td><code>{{ host.ip_address }}</code></td>
+ <td>
+ {% if host.online %}
+ <span class="yes">Yes</span>
+ {% else %}
+ <span class="no">No</span>
+ {% endif %}
+ </td>
+ <td><input type="submit" value="Disown Computer" title="This will make it so the computer is no longer marked as owned by the user, disconnecting it from the internet"/></td>
+ </tr>
+ </form>
{% endfor %}
</table>
{% else %}
View
10 tollgate/frontend/views.py
@@ -37,6 +37,7 @@
from tollgate.frontend.forms import *
from django.core.exceptions import *
from django.contrib import messages
+from django.views.decorators.http import require_http_methods
import random
@@ -152,7 +153,8 @@ def login(request):
if f.cleaned_data['internet']:
# we need to do an internet login as well for the user.
# lets send them across
- return redirect('internet-login-here')
+ #return redirect('internet-login-here')
+ return internet_login_here(request)
# no internet login requested
# send to homepage
@@ -171,6 +173,7 @@ def logout(request):
context_instance=RequestContext(request))
+@require_http_methods(['POST'])
@login_required
def internet_login_here(request):
# find my MAC address
@@ -186,9 +189,11 @@ def internet_login_here(request):
#mac = mac.replace(":", "")
- return redirect('internet-login', mac)
+ #return redirect('internet-login', mac)
+ return internet_login(request, mac)
+@require_http_methods(['POST'])
@login_required
def internet_login(request, mac_address):
# we assume urls were setup right so we don't have to fux around with
@@ -299,6 +304,7 @@ def internet_login(request, mac_address):
}, context_instance=RequestContext(request))
+@require_http_methods(['POST'])
@login_required
def internet_disown(request, host_id):
h = get_object_or_404(NetworkHost, id=host_id)

0 comments on commit 00797ba

Please sign in to comment.