aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBryan Newbold <bnewbold@robocracy.org>2019-04-02 16:16:25 -0700
committerBryan Newbold <bnewbold@robocracy.org>2019-04-02 16:16:25 -0700
commitff9e0b2712b61b6f515e2dbd57f08952fe870386 (patch)
treeb3d0cb3d94a49c0d42801cf15e51806da4ef4313
parent8e460a157c94f86fd9248203553194e2709490d9 (diff)
downloadfatcat-ff9e0b2712b61b6f515e2dbd57f08952fe870386.tar.gz
fatcat-ff9e0b2712b61b6f515e2dbd57f08952fe870386.zip
fix CSRF for WTF forms
-rw-r--r--python/fatcat_web/editing_routes.py17
-rw-r--r--python/fatcat_web/web_config.py5
2 files changed, 9 insertions, 13 deletions
diff --git a/python/fatcat_web/editing_routes.py b/python/fatcat_web/editing_routes.py
index 4d06f6cd..db4e22ad 100644
--- a/python/fatcat_web/editing_routes.py
+++ b/python/fatcat_web/editing_routes.py
@@ -17,12 +17,10 @@ from fatcat_web.forms import *
### Views ###################################################################
-# XXX: figure out CSRF stuff for local dev
@app.route('/container/create', methods=['GET', 'POST'])
@login_required
-@app.csrf.exempt
def container_create():
- form = ContainerEntityForm(csrf_enabled=False) # XXX:
+ form = ContainerEntityForm()
if form.is_submitted():
if form.validate_on_submit():
# API on behalf of user
@@ -53,9 +51,7 @@ def container_create():
return render_template('container_create.html',
form=form, editgroup_id=editgroup_id)
-# XXX: figure out CSRF stuff for local dev
@login_required
-@app.csrf.exempt
@app.route('/container/<ident>/edit', methods=['GET', 'POST'])
def container_edit(ident):
# TODO: prev_rev interlock
@@ -64,7 +60,7 @@ def container_edit(ident):
entity = api.get_container(ident)
except ApiException as ae:
abort(ae.status)
- form = ContainerEntityForm(csrf_enabled=False) # XXX:
+ form = ContainerEntityForm()
if form.is_submitted():
if form.validate_on_submit():
# API on behalf of user
@@ -130,12 +126,10 @@ def webcapture_edit(ident):
abort(ae.status)
return render_template('entity_edit.html')
-# XXX: figure out CSRF stuff for local dev
@app.route('/release/create', methods=['GET', 'POST'])
@login_required
-@app.csrf.exempt
def release_create():
- form = ReleaseEntityForm(csrf_enabled=False) # XXX:
+ form = ReleaseEntityForm()
if form.is_submitted():
if form.validate_on_submit():
# API on behalf of user
@@ -149,7 +143,6 @@ def release_create():
Editgroup(description=form.editgroup_description.data or None))
# set this session editgroup_id
session['active_editgroup_id'] = eg.editgroup_id
- print(eg.editgroup_id) # XXX: debug
flash('Started new editgroup <a href="/editgroup/{}">{}</a>' \
.format(eg.editgroup_id, eg.editgroup_id))
# no merge or anything hard to do; just create the entity
@@ -168,9 +161,7 @@ def release_create():
return render_template('release_create.html',
form=form, editgroup_id=editgroup_id)
-# XXX: figure out CSRF stuff for local dev
@login_required
-@app.csrf.exempt
@app.route('/release/<ident>/edit', methods=['GET', 'POST'])
def release_edit(ident):
# TODO: prev_rev interlock
@@ -179,7 +170,7 @@ def release_edit(ident):
entity = api.get_release(ident)
except ApiException as ae:
abort(ae.status)
- form = ReleaseEntityForm(csrf_enabled=False) # XXX:
+ form = ReleaseEntityForm()
if form.is_submitted():
if form.validate_on_submit():
# API on behalf of user
diff --git a/python/fatcat_web/web_config.py b/python/fatcat_web/web_config.py
index 8fe50049..8ece91f7 100644
--- a/python/fatcat_web/web_config.py
+++ b/python/fatcat_web/web_config.py
@@ -39,6 +39,11 @@ class Config(object):
IA_XAUTH_CLIENT_ID = os.environ.get("IA_XAUTH_CLIENT_ID", default=None)
IA_XAUTH_CLIENT_SECRET = os.environ.get("IA_XAUTH_CLIENT_SECRET", default=None)
+ # CSRF on by default, but only for WTF forms (not, eg, search, lookups, GET
+ # forms)
+ WTF_CSRF_CHECK_DEFAULT = True
+ WTF_CSRF_TIME_LIMIT = None
+
# protect cookies (which include API tokens)
if FATCAT_DOMAIN != "dev.fatcat.wiki":
SESSION_COOKIE_HTTPONLY = True