u/bodqhrohro/swineboard Commit - r1422:00a35505

Use CSRF protection

neko259 -

r1422:00a35505 default

parent child

boards/views/all_threads.py

0 +5 0

+            from dbus.decorators import method
             from django.core.urlresolvers import reverse
             from django.core.files import File
             from django.core.files.temp import NamedTemporaryFile
             from django.http import Http404
             from django.shortcuts import render, redirect
             import requests
+            from django.utils.decorators import method_decorator
+            from django.views.decorators.csrf import csrf_protect
             from boards import utils, settings
             from boards.abstracts.paginator import get_paginator
                     self.settings_manager = None
                     super(AllThreadsView, self).__init__()
+                @method_decorator(csrf_protect)
                 def get(self, request, form: ThreadForm=None):
                     page = request.GET.get('page', DEFAULT_PAGE)
                     return render(request, TEMPLATE, params)
+                @method_decorator(csrf_protect)
                 def post(self, request):
                     form = ThreadForm(request.POST, request.FILES,
                                       error_class=PlainErrorList)

boards/views/api.py

0 +4 0

             from django.http import HttpResponse
             from django.shortcuts import get_object_or_404
             from django.core import serializers
+            from django.template.context_processors import csrf
+            from django.views.decorators.csrf import csrf_protect
             from boards.abstracts.settingsmanager import get_settings_manager,\
                     FAV_THREAD_NO_UPDATES
                 return HttpResponse(content=json.dumps(json_data))
+            @csrf_protect
             def api_add_post(request, opening_post_id):
                 """
                 Adds a post and return the JSON response for it

boards/views/thread/thread.py

0 +5 0

             from django.core.urlresolvers import reverse
             from django.http import Http404
             from django.shortcuts import get_object_or_404, render, redirect
+            from django.template.context_processors import csrf
+            from django.utils.decorators import method_decorator
+            from django.views.decorators.csrf import csrf_protect
             from django.views.generic.edit import FormMixin
             from django.utils import timezone
             from django.utils.dateformat import format
             class ThreadView(BaseBoardView, PostMixin, FormMixin, DispatcherMixin):
+                @method_decorator(csrf_protect)
                 def get(self, request, post_id, form: PostForm=None):
                     try:
                         opening_post = Post.objects.get(id=post_id)
                     return render(request, self.get_template(), params)
+                @method_decorator(csrf_protect)
                 def post(self, request, post_id):
                     opening_post = get_object_or_404(Post, id=post_id)

neboard/settings.py

0 +1 0

                         ]),
                     ],
                     'context_processors': [
+                        'django.template.context_processors.csrf',
                         'django.core.context_processors.media',
                         'django.core.context_processors.static',
                         'django.core.context_processors.request',

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages