rattail/tailbone
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Fix master merge template/forms to include CSRF token

Browse source
This commit is contained in:
Lance Edgar 2016-12-21 11:58:59 -06:00
parent 2fbf719d61
commit 113f474e8b
2 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
tailbone/templates/master/index.mako
View file

@ -55,10 +55,11 @@
<%def name="grid_tools()"> <%def name="grid_tools()">
% if master.mergeable and request.has_perm('{}.merge'.format(permission_prefix)): % if master.mergeable and request.has_perm('{}.merge'.format(permission_prefix)):
${h.form(url('{}.merge'.format(route_prefix)), name='merge-things')} ${h.form(url('{}.merge'.format(route_prefix)), name='merge-things')}
${h.csrf_token(request)}
${h.hidden('uuids')} ${h.hidden('uuids')}
<button type="submit">Merge 2 ${model_title_plural}</button> <button type="submit">Merge 2 ${model_title_plural}</button>
${h.end_form()} ${h.end_form()}
% endif % endif
</%def> </%def>

1
tailbone/templates/master/merge.mako
View file

@ -132,6 +132,7 @@
</table> </table>
${h.form(request.current_route_url(), class_='merge')} ${h.form(request.current_route_url(), class_='merge')}
${h.csrf_token(request)}
<div class="buttons"> <div class="buttons">
${h.hidden('uuids', value='{},{}'.format(object_to_remove.uuid, object_to_keep.uuid))} ${h.hidden('uuids', value='{},{}'.format(object_to_remove.uuid, object_to_keep.uuid))}
<a class="button" href="${index_url}">Whoops, nevermind</a> <a class="button" href="${index_url}">Whoops, nevermind</a>