Mercurial > public > sg101
changeset 194:6a5549c2efb5
Implement #62, add support for CSRF protection.
line wrap: on
line diff
--- a/gpp/settings.py Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/settings.py Sat Apr 03 20:00:56 2010 +0000 @@ -76,6 +76,7 @@ if DEBUG: MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', + 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'debug_toolbar.middleware.DebugToolbarMiddleware', @@ -86,6 +87,7 @@ else: MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', + 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware',
--- a/gpp/templates/accounts/login.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/accounts/login.html Sat Apr 03 20:00:56 2010 +0000 @@ -3,13 +3,12 @@ {% block content %} <h2>Login</h2> -<form method="post" action="."> +<form method="post" action=".">{% csrf_token %} <table> {{ form.as_table }} <tr><td> </td><td><input type="submit" value="Login" /></td></tr> </table> <input type="hidden" name="next" value="{{ next }}" /> -{% csrf_token %} </form> <ul>
--- a/gpp/templates/accounts/password_change.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/accounts/password_change.html Sat Apr 03 20:00:56 2010 +0000 @@ -2,7 +2,7 @@ {% block title %}Change Password{% endblock %} {% block content %} <h2>Change Password</h2> -<form method="post" action="."> +<form method="post" action=".">{% csrf_token %} <table> {{ form.as_table }} <tr><td> </td><td><input type="submit" value="Change Password" />
--- a/gpp/templates/accounts/password_reset.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/accounts/password_reset.html Sat Apr 03 20:00:56 2010 +0000 @@ -5,7 +5,7 @@ <p>Forgot your password? No problem. Just enter your email address and we will email you instructions on how to reset it. </p> -<form method="post" action="."> +<form method="post" action=".">{% csrf_token %} <table> {{ form.as_table }} <tr><td> </td><td><input type="submit" value="Reset Password" />
--- a/gpp/templates/accounts/password_reset_confirm.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/accounts/password_reset_confirm.html Sat Apr 03 20:00:56 2010 +0000 @@ -6,7 +6,7 @@ <p> Please use the following form to reset your password. </p> -<form method="post" action="."> +<form method="post" action=".">{% csrf_token %} <table> {{ form.as_table }} <tr><td> </td><td><input type="submit" value="Reset Password" />
--- a/gpp/templates/accounts/register.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/accounts/register.html Sat Apr 03 20:00:56 2010 +0000 @@ -13,7 +13,7 @@ <li>You must agree to our <a href="/policy/tos/" target="_blank">Terms of Service</a>.</li> <li>You must agree to our <a href="/policy/privacy/" target="_blank">Privacy Policy</a>.</li> </ul> -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <table> {{ form.as_table }} <tr><td> </td><td><input type="submit" value="Register" /></td></tr>
--- a/gpp/templates/bio/avatar.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/bio/avatar.html Sat Apr 03 20:00:56 2010 +0000 @@ -15,7 +15,7 @@ this it will be scaled down to 100 x 100 pixels. For best results, please ensure your image is square. </p> - <form enctype="multipart/form-data" method="POST" action="."> + <form enctype="multipart/form-data" method="POST" action=".">{% csrf_token %} {{ form.as_p }} <input type="submit" value="Update Avatar" /> <a href="{% url bio-me %}">Cancel</a>
--- a/gpp/templates/bio/edit_elsewhere.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/bio/edit_elsewhere.html Sat Apr 03 20:00:56 2010 +0000 @@ -9,7 +9,7 @@ <li> <img src="{{ MEDIA_URL }}elsewhere/{{ profile.icon_name }}" alt="{{ profile.name }}" /> <a href="{{ profile.url }}" rel="me">{{ profile.name }}</a> - <form id="delete-network-{{ profile.id }}" method="post" action="."> + <form id="delete-network-{{ profile.id }}" method="post" action=".">{% csrf_token %} <input type="hidden" name="delete_id" value="{{ profile.id }}" /> <input type="submit" name="delete-sn-form" value="Delete" class="button" /> </form> @@ -20,7 +20,7 @@ <p>No social network profiles.</p> {% endif %} -<form method="post" action="."> +<form method="post" action=".">{% csrf_token %} <fieldset> <legend>Add a Social Network</legend> {{ sn_form.as_p }} @@ -38,7 +38,7 @@ <li> <img src="{{ MEDIA_URL }}elsewhere/{{ profile.icon_name }}" alt="{{ profile.name }}" /> {{ profile.name }}: <a href="{{ profile.url }}">{{ profile.username }}</a> - <form id="delete-messenger-{{ profile.id }}" method="post" action="."> + <form id="delete-messenger-{{ profile.id }}" method="post" action=".">{% csrf_token %} <input type="hidden" name="delete_id" value="{{ profile.id }}" /> <input type="submit" name="delete-im-form" value="Delete" class="button" /> </form> @@ -49,7 +49,7 @@ <p>No instant messenger profiles.</p> {% endif %} -<form method="post" action="."> +<form method="post" action=".">{% csrf_token %} <fieldset> <legend>Add an Instant Messenger</legend> {{ im_form.as_p }} @@ -64,7 +64,7 @@ <li> <img src="{{ MEDIA_URL }}icons/world.png" alt="{{ profile.name }}" /> <a href="{{ profile.url }}" rel="me">{{ profile.name }}</a> - <form id="delete-website-{{ profile.id }}" method="post" action="."> + <form id="delete-website-{{ profile.id }}" method="post" action=".">{% csrf_token %} <input type="hidden" name="delete_id" value="{{ profile.id }}" /> <input type="submit" name="delete-w-form" value="Delete" class="button" /> </form> @@ -75,7 +75,7 @@ <p>No website profiles.</p> {% endif %} -<form method="post" action="."> +<form method="post" action=".">{% csrf_token %} <fieldset> <legend>Add a Website</legend> {{ w_form.as_p }}
--- a/gpp/templates/bio/edit_profile.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/bio/edit_profile.html Sat Apr 03 20:00:56 2010 +0000 @@ -8,7 +8,7 @@ {% block content %} <div class="user_profile"> <h2>Edit Profile for {{ user.username }}</h2> -<form action="{% url bio-edit_profile %}" method="post"> +<form action="{% url bio-edit_profile %}" method="post">{% csrf_token %} <table> <tr> <td>
--- a/gpp/templates/bio/member_search.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/bio/member_search.html Sat Apr 03 20:00:56 2010 +0000 @@ -6,7 +6,7 @@ {% block content %} <h2>Member Search</h2> <p>Looking for a member? Start typing a username in the form below.</p> -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <fieldset> <legend>Member Search</legend> {{ form.as_p }}
--- a/gpp/templates/comments/comment_form.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/comments/comment_form.html Sat Apr 03 20:00:56 2010 +0000 @@ -1,6 +1,6 @@ {% load core_tags %} {% if user.is_authenticated %} -<form action="{% url comments-post %}" method="post" id="comment-form"> +<form action="{% url comments-post %}" method="post" id="comment-form">{% csrf_token %} {{ form.as_p }} {% comment_dialogs %} <input type="submit" name="post" value="Post Comment" id="comment-form-post"/>
--- a/gpp/templates/contact/contact_form.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/contact/contact_form.html Sat Apr 03 20:00:56 2010 +0000 @@ -4,7 +4,7 @@ <h2>Contact Us</h2> <p>Please use the following form to contact the site management. Your feedback and comments are very important to us.</p> -<form action="{% url contact.views.contact_form %}" method="post"> +<form action="{% url contact.views.contact_form %}" method="post">{% csrf_token %} <table> <tr><th>{{ form.name.label }}:</th><td>{{ form.name.errors }}{{ form.name }}</td></tr> <tr><th>{{ form.email.label }}:</th><td>{{ form.email.errors }}{{ form.email }}</td></tr>
--- a/gpp/templates/downloads/add.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/downloads/add.html Sat Apr 03 20:00:56 2010 +0000 @@ -30,7 +30,7 @@ <li>The file may be removed at any time at the discretion of the staff of SurfGuitar101.</li> </ol> -<form action="." method="post" enctype="multipart/form-data" id="downloads-add"> +<form action="." method="post" enctype="multipart/form-data" id="downloads-add">{% csrf_token %} <fieldset> <legend>Upload Form</legend> <table>
--- a/gpp/templates/downloads/navigation.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/downloads/navigation.html Sat Apr 03 20:00:56 2010 +0000 @@ -1,7 +1,7 @@ <div class="app-logo"> <img src="{{ MEDIA_URL }}icons/downloads-logo.jpg" alt="Downloads Logo" title="Downloads" /> </div> -<form id="downloads-search" action="{% url downloads-search page=1 %}" method="post"> +<form id="downloads-search" action="{% url downloads-search page=1 %}" method="post">{% csrf_token %} <p>{{ search_form.text }} <input type="submit" value="Search" /></p> </form> <ul class="app-menu">
--- a/gpp/templates/forums/forum_index.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/forums/forum_index.html Sat Apr 03 20:00:56 2010 +0000 @@ -12,7 +12,7 @@ <div class="forum-block"> {% if user.is_authenticated %} <a href="{% url forums-new_topic slug=forum.slug %}">New Topic</a> • -<form action="{% url forums-catchup slug=forum.slug %}" method="post" style="display:inline"> +<form action="{% url forums-catchup slug=forum.slug %}" method="post" style="display:inline">{% csrf_token %} <input type="submit" value="Mark All Topics Read" /> </form> {% endif %} @@ -56,7 +56,7 @@ {{ page_nav }} {% if user.is_authenticated %} <a href="{% url forums-new_topic slug=forum.slug %}">New Topic</a> • -<form action="{% url forums-catchup slug=forum.slug %}" method="post" style="display:inline"> +<form action="{% url forums-catchup slug=forum.slug %}" method="post" style="display:inline">{% csrf_token %} <input type="submit" value="Mark All Topics Read" /> </form> {% endif %}
--- a/gpp/templates/forums/manage_subscriptions.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/forums/manage_subscriptions.html Sat Apr 03 20:00:56 2010 +0000 @@ -8,7 +8,7 @@ </h3> <p>The forum topics you are currently subscribed to are listed below.</p> {% include 'forums/pagination.html' %} -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <table class="forum-topic-table"> <thead> <tr>
--- a/gpp/templates/forums/mod_forum.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/forums/mod_forum.html Sat Apr 03 20:00:56 2010 +0000 @@ -14,7 +14,7 @@ <div class="forum-block"> {{ page_nav }} -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <table class="forum-index-table"> <thead> <tr>
--- a/gpp/templates/forums/mod_split_topic.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/forums/mod_split_topic.html Sat Apr 03 20:00:56 2010 +0000 @@ -16,7 +16,7 @@ split to the new topic ("Split Selected Posts"), or by selecting a post such that all posts at or below the selection get split ("Split At Selected Post"). <p> - <form action="." method="post"> + <form action="." method="post">{% csrf_token %} <table> {{ form.as_table }} <tr><td> </td><td>
--- a/gpp/templates/forums/move_topic.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/forums/move_topic.html Sat Apr 03 20:00:56 2010 +0000 @@ -10,7 +10,7 @@ </h3> <div class="forum-block"> -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <fieldset> <legend>Move Topic: {{ topic.name }}</legend> {{ form.as_p }}
--- a/gpp/templates/forums/show_form.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/forums/show_form.html Sat Apr 03 20:00:56 2010 +0000 @@ -1,5 +1,5 @@ {% load core_tags %} -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <fieldset> <legend>{{ legend_text }}</legend> {{ form.as_p }}
--- a/gpp/templates/forums/topic.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/forums/topic.html Sat Apr 03 20:00:56 2010 +0000 @@ -37,13 +37,13 @@ {{ page_nav }} {% if can_moderate %} <div class="forum-mod-controls"> - <form action="{% url forums-mod_topic_stick topic.id %}" method="post"> + <form action="{% url forums-mod_topic_stick topic.id %}" method="post">{% csrf_token %} <input type="submit" value="{% if topic.sticky %}Unstick{% else %}Stick{% endif %} Topic" /> </form> - <form action="{% url forums-mod_topic_lock topic.id %}" method="post"> + <form action="{% url forums-mod_topic_lock topic.id %}" method="post">{% csrf_token %} <input type="submit" value="{% if topic.locked %}Unlock{% else %}Lock{% endif %} Topic" /> </form> - <form action="{% url forums-mod_topic_delete topic.id %}" method="post"> + <form action="{% url forums-mod_topic_delete topic.id %}" method="post">{% csrf_token %} <input type="submit" value="Delete Topic" id="forum-mod-del-topic" /> </form> <a href="{% url forums-mod_topic_move topic.id %}"><img src="{{ MEDIA_URL }}icons/application_go.png" alt="Move Topic" title="Move Topic" /></a> @@ -59,7 +59,7 @@ {% endif %} {% if user.is_authenticated %} -<form action={% if is_subscribed %}"{% url forums-unsubscribe_topic topic.id %}"{% else %}"{% url forums-subscribe_topic topic.id %}"{% endif %} method="post"> +<form action={% if is_subscribed %}"{% url forums-unsubscribe_topic topic.id %}"{% else %}"{% url forums-subscribe_topic topic.id %}"{% endif %} method="post">{% csrf_token %} <fieldset> <legend>Subscription Options</legend> <p>
--- a/gpp/templates/gcalendar/event.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/gcalendar/event.html Sat Apr 03 20:00:56 2010 +0000 @@ -16,7 +16,7 @@ <li>Once submitted, your event will be reviewed by the site staff for approval. Normally it will appear on the calendar within 24 hours.</li> </ul> -<form id="id_gcal_event_form" action="." method="post"> +<form id="id_gcal_event_form" action="." method="post">{% csrf_token %} <table> {% if form.non_field_errors %} <tr><td> </td><td>{{ form.non_field_errors }}</td></tr>
--- a/gpp/templates/gcalendar/google_sync.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/gcalendar/google_sync.html Sat Apr 03 20:00:56 2010 +0000 @@ -25,7 +25,7 @@ {% endif %} {% endfor %} </ol> -<form action="." method="POST"> +<form action="." method="POST">{% csrf_token %} {{ form.as_p }} <p><input type="submit" name="submit" value="Submit" /></p> </form>
--- a/gpp/templates/membermap/index.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/membermap/index.html Sat Apr 03 20:00:56 2010 +0000 @@ -50,7 +50,7 @@ <li>Rome, Italy</li> <li>5018EA, Tilburg, Netherlands</li> </ul> - <form action="" method="post"> + <form action="" method="post">{% csrf_token %} {{ form.as_p }} {% comment_dialogs %} <input type="submit" id="member_map_submit" name="submit" value="Submit" />
--- a/gpp/templates/messages/compose.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/messages/compose.html Sat Apr 03 20:00:56 2010 +0000 @@ -7,7 +7,7 @@ {% block compose-class %}class="active"{% endblock %} {% block messages_content %} <h3>Compose Message</h3> -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <table> {{ compose_form.as_table }} <tr>
--- a/gpp/templates/messages/options.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/messages/options.html Sat Apr 03 20:00:56 2010 +0000 @@ -10,7 +10,7 @@ {% endfor %} </ul> {% endif %} -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <table> {{ form.as_table }} <tr>
--- a/gpp/templates/messages/view.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/messages/view.html Sat Apr 03 20:00:56 2010 +0000 @@ -21,13 +21,13 @@ </div> {% endif %} {% if is_deleted %} -<form action="{% url messages-undelete msg.id %}" method="post"> +<form action="{% url messages-undelete msg.id %}" method="post">{% csrf_token %} {% if box %}<input type="hidden" name="box" value="{{ box }}" />{% endif %} <input type="submit" value="Undelete" /> </form> {% else %} <a href="{% url messages-reply msg.id %}{% if box %}?box={{ box }}{% endif %}">Reply</a> | -<form action="{% url messages-delete msg.id %}" method="post" class="messages-button"> +<form action="{% url messages-delete msg.id %}" method="post" class="messages-button">{% csrf_token %} {% if box %}<input type="hidden" name="box" value="{{ box }}" />{% endif %} <input type="submit" value="Delete" /> </form>
--- a/gpp/templates/news/base.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/news/base.html Sat Apr 03 20:00:56 2010 +0000 @@ -10,7 +10,7 @@ <h2>SurfGuitar101 News & Articles <a href="{% url feeds-news %}"><img src="{{ MEDIA_URL }}icons/feed.png" alt="News Feed" title="News Feed" /></a></h2> {% if search_form %} <div class="news-search"> -<form action="{% url news-search_page page=1 %}" method="post"> +<form action="{% url news-search_page page=1 %}" method="post">{% csrf_token %} <p>{{ search_form.text }} {{ search_form.category }} <input type="submit" value="Search" /></p> </form> </div>
--- a/gpp/templates/news/send_story.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/news/send_story.html Sat Apr 03 20:00:56 2010 +0000 @@ -9,7 +9,7 @@ <li>Your name: {{ user.get_full_name }}</li> <li>Your email: {{ user.email }}</li> </ul> - <form action="." method="post"> + <form action="." method="post">{% csrf_token %} <table> {{ send_form.as_table }} <tr><td> </td><td><input type="submit" value="Send" />
--- a/gpp/templates/news/submit_news.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/news/submit_news.html Sat Apr 03 20:00:56 2010 +0000 @@ -9,7 +9,7 @@ {% block news_content %} <h3>Submit News</h3> {% if add_form %} - <form action="." method="post"> + <form action="." method="post">{% csrf_token %} <table> {{ add_form.as_table }} <tr><td> </td><td><input type="submit" value="Submit" />
--- a/gpp/templates/polls/poll_vote.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/polls/poll_vote.html Sat Apr 03 20:00:56 2010 +0000 @@ -6,7 +6,7 @@ {% block content %} <h2>Poll</h2> <h3>{{ poll.question }}</h3> -<form action="." method="post"> +<form action="." method="post">{% csrf_token %} <div class="poll-form"> {{ vote_form.as_p }} <input type="submit" value="Vote" />
--- a/gpp/templates/shoutbox/shoutbox.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/shoutbox/shoutbox.html Sat Apr 03 20:00:56 2010 +0000 @@ -13,12 +13,12 @@ <center><a href="{% url shoutbox-history page=1 %}">Shout History</a></center> {% if user.is_authenticated %} <center> -<form action="{% url shoutbox-shout %}" method="post"> +<div> <input type="text" maxlength="2048" size="13" name="msg" value="" id="shoutbox-smiley-input" /> <br /> <input id="shoutbox-submit" type="submit" value="Shout" /> <input id="shoutbox-smilies" type="button" value="Smilies" /> -</form> +</div> <div id="shoutbox-smiley-frame" style="display:none;"> <img id="shoutbox-busy-icon" src="{{ MEDIA_URL }}icons/ajax_busy.gif" alt="Please wait" /> </div>
--- a/gpp/templates/weblinks/add_link.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/weblinks/add_link.html Sat Apr 03 20:00:56 2010 +0000 @@ -3,7 +3,7 @@ {% block weblinks_content %} <h3>Add Link</h3> {% if add_form %} - <form action="." method="post"> + <form action="." method="post">{% csrf_token %} <table> {{ add_form.as_table }} <tr><td> </td><td><input type="submit" value="Add Link" />
--- a/gpp/templates/weblinks/link.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/weblinks/link.html Sat Apr 03 20:00:56 2010 +0000 @@ -3,7 +3,7 @@ </dt> <dd> <p>{{ link.description }}</p> -<form action="{% url weblinks-visit link.id %}" method="post"> +<form action="{% url weblinks-visit link.id %}" method="post">{% csrf_token %} <table class="link-stats"> <tr> <th>Date Added:</th><td>{{ link.date_added|date:"M d, Y" }}</td>
--- a/gpp/templates/weblinks/navigation.html Sat Apr 03 02:15:04 2010 +0000 +++ b/gpp/templates/weblinks/navigation.html Sat Apr 03 20:00:56 2010 +0000 @@ -2,7 +2,7 @@ <img src="{{ MEDIA_URL }}icons/weblinks-logo.jpg" alt="Links Logo" title="Links" /> </div> <div class="weblinks-search"> -<form action="{% url weblinks-search page=1 %}" method="post"> +<form action="{% url weblinks-search page=1 %}" method="post">{% csrf_token %} <p>{{ search_form.text }} <input type="submit" value="Search" /></p> </form> </div> @@ -16,7 +16,7 @@ {% endif %} </ul> <center> - <form action="{% url weblinks.views.random_link %}" method="post"> + <form action="{% url weblinks.views.random_link %}" method="post">{% csrf_token %} <input type="submit" value="Visit a Random Link" /> </form> </center>