From 323e34107ab58c746748799bacef00aa65c6b317 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Wed, 3 Apr 2019 10:59:28 -0700 Subject: better CSRF handling; restyle account page --- python/fatcat_web/routes.py | 10 ++++++++++ python/fatcat_web/templates/405.html | 12 ++++++++++++ python/fatcat_web/templates/auth_account.html | 16 +++++++++++----- python/fatcat_web/templates/csrf_error.html | 10 ++++++++++ 4 files changed, 43 insertions(+), 5 deletions(-) create mode 100644 python/fatcat_web/templates/405.html create mode 100644 python/fatcat_web/templates/csrf_error.html (limited to 'python') diff --git a/python/fatcat_web/routes.py b/python/fatcat_web/routes.py index c4152188..ba86fc6a 100644 --- a/python/fatcat_web/routes.py +++ b/python/fatcat_web/routes.py @@ -4,6 +4,7 @@ import json from flask import Flask, render_template, send_from_directory, request, \ url_for, abort, g, redirect, jsonify, session, flash, Response from flask_login import login_required +from flask_wtf.csrf import CSRFError from fatcat_client import Editgroup from fatcat_client.rest import ApiException @@ -490,6 +491,7 @@ def token_login(): @app.route('/auth/change_username', methods=['POST']) @login_required def change_username(): + app.csrf.protect() # show the user a list of login options if not 'username' in request.form: abort(400) @@ -529,6 +531,10 @@ def page_not_found(e): def page_not_authorized(e): return render_template('403.html'), 403 +@app.errorhandler(405) +def page_method_not_allowed(e): + return render_template('405.html'), 405 + @app.errorhandler(400) def page_bad_request(e): return render_template('400.html'), 400 @@ -547,6 +553,10 @@ def page_server_error(e): def page_server_down(e): return render_template('503.html'), 503 +@app.errorhandler(CSRFError) +def page_csrf_error(e): + return render_template('csrf_error.html', reason=e.description), 400 + @app.route('/', methods=['GET']) def page_home(): return render_template('home.html') diff --git a/python/fatcat_web/templates/405.html b/python/fatcat_web/templates/405.html new file mode 100644 index 00000000..97d21d73 --- /dev/null +++ b/python/fatcat_web/templates/405.html @@ -0,0 +1,12 @@ +{% extends "base.html" %} +{% block body %} + +
+
405
+
Method Not Allowed
+ +

Either we have a bug, or you tried something weird (like making up a URL). + +

+ +{% endblock %} diff --git a/python/fatcat_web/templates/auth_account.html b/python/fatcat_web/templates/auth_account.html index 57155722..0311c538 100644 --- a/python/fatcat_web/templates/auth_account.html +++ b/python/fatcat_web/templates/auth_account.html @@ -1,23 +1,29 @@ {% extends "base.html" %} {% block body %} -

Your Account

+

+ + Account Settings +

Username: {{ current_user.username }}

Editor Id: {{ current_user.editor_id }} -

-

Change username: +
+

+

Change Username

+
-
+
- +
+

In the future, you might be able to...

  • Create a bot user diff --git a/python/fatcat_web/templates/csrf_error.html b/python/fatcat_web/templates/csrf_error.html new file mode 100644 index 00000000..357f9047 --- /dev/null +++ b/python/fatcat_web/templates/csrf_error.html @@ -0,0 +1,10 @@ +{% extends "base.html" %} +{% block body %} + +
    +
    400
    +
    Cross-Site Scripting Error
    +{{ reason }} +
    + +{% endblock %} -- cgit v1.2.3