Add global CSRF protection

2016-12-14 18:37:17 -06:00 · 2016-12-14 18:37:17 -06:00 · 4ed522ae47
commit 4ed522ae47
parent ab09314ed3
15 changed files with 28 additions and 22 deletions
--- a/tailbone/templates/change_password.mako
+++ b/tailbone/templates/change_password.mako
@ -5,6 +5,7 @@

 <div class="form">
  ${h.form(url('change_password'))}
+  ${form.csrf_token()}
  ${form.referrer_field()}
  ${form.field_div('current_password', form.password('current_password'))}
  ${form.field_div('new_password', form.password('new_password'))}
--- a/tailbone/templates/feedback.mako
+++ b/tailbone/templates/feedback.mako
@ -23,6 +23,7 @@

 <div class="form">
  ${form.begin()}
+  ${form.csrf_token()}
  ${form.hidden('user', value=request.user.uuid if request.user else None)}

  <p>
--- a/tailbone/templates/master/delete.mako
+++ b/tailbone/templates/master/delete.mako
@ -36,6 +36,7 @@
  <br />

  ${h.form(request.current_route_url())}
+  ${h.csrf_token(request)}
    <div class="buttons">
      <a class="button" href="${form.cancel_url}">Whoops, nevermind...</a>
      <button type="button" id="confirm-delete">Yes, please DELETE this data forever!</button>
--- a/tailbone/templates/newbatch/view.mako
+++ b/tailbone/templates/newbatch/view.mako
@ -71,6 +71,7 @@ ${rows_grid|n}
    <div id="execution-options-dialog" style="display: none;">

      ${h.form(url('{}.execute'.format(route_prefix), uuid=batch.uuid), name='batch-execution')}
+      ${h.csrf_token(request)}
      % if master.has_execution_options:
          ${rendered_execution_options|n}
      % endif
--- a/tailbone/templates/products/batch.mako
+++ b/tailbone/templates/products/batch.mako
@ -32,6 +32,7 @@
    <div class="form">

      ${h.form(request.current_route_url())}
+      ${h.csrf_token(request)}

      <div class="field-wrapper">
        <label for="batch_type">Batch Type</label>
@ -54,6 +55,7 @@
    <div class="form">

      ${h.form(request.current_route_url())}
+      ${h.csrf_token(request)}

      <div class="field-wrapper">
        <label for="provider">Batch Type</label>
--- a/tailbone/templates/reports/inventory.mako
+++ b/tailbone/templates/reports/inventory.mako
@ -7,6 +7,7 @@
 <br />

 ${h.form(request.current_route_url())}
+${h.csrf_token(request)}

 <div class="field-wrapper">
  <label for="department">Department</label>
--- a/tailbone/templates/shifts/lib.mako
+++ b/tailbone/templates/shifts/lib.mako
@ -5,6 +5,7 @@
    <div class="timesheet-wrapper">

      ${form.begin(id='filter-form')}
+      ${form.csrf_token()}

      <table class="timesheet-header">
        <tbody>
--- a/tailbone/templates/shifts/schedule_edit.mako
+++ b/tailbone/templates/shifts/schedule_edit.mako
@ -283,6 +283,7 @@

 <%def name="edit_form()">
  ${h.form(url('schedule.edit'), id='schedule-form')}
+  ${h.csrf_token(request)}
 </%def>

 <%def name="edit_tools()">
@ -299,6 +300,7 @@ ${timesheet_wrapper(edit_form=edit_form, edit_tools=edit_tools, context_menu=con
 ${edit_tools()}

 ${h.form(url('schedule.edit'), id="clear-schedule-form")}
+${h.csrf_token(request)}
 ${h.hidden('clear-schedule', value='clear')}
 ${h.end_form()}

@ -318,6 +320,7 @@ ${h.end_form()}
    and then new shifts will be created based on the week you specify.
  </p>
  ${h.form(url('schedule.edit'), id='copy-schedule-form')}
+  ${h.csrf_token(request)}
  <label for="copy-week">Copy from week:</label>
  ${h.text('copy-week')}
  ${h.end_form()}