Commit 59c1e26c authored by Julian Rother's avatar Julian Rother
Browse files

Integrated csrf tokens into url_for (fixes #109)

parent 01a9a386
...@@ -71,7 +71,10 @@ def mod_required(func): ...@@ -71,7 +71,10 @@ def mod_required(func):
return func(*args, **kwargs) return func(*args, **kwargs)
return decorator return decorator
csrf_endpoints = []
def csrf_protect(func): def csrf_protect(func):
csrf_endpoints.append(func.__name__)
@wraps(func) @wraps(func)
def decorator(*args, **kwargs): def decorator(*args, **kwargs):
if '_csrf_token' in request.values: if '_csrf_token' in request.values:
...@@ -79,13 +82,19 @@ def csrf_protect(func): ...@@ -79,13 +82,19 @@ def csrf_protect(func):
elif request.get_json() and ('_csrf_token' in request.get_json()): elif request.get_json() and ('_csrf_token' in request.get_json()):
token = request.get_json()['_csrf_token'] token = request.get_json()['_csrf_token']
else: else:
token = none token = None
if not ('_csrf_token' in session) or (session['_csrf_token'] != token ) or not token: if not ('_csrf_token' in session) or (session['_csrf_token'] != token ) or not token:
return 'csrf test failed', 403 return 'csrf test failed', 403
else: else:
return func(*args, **kwargs) return func(*args, **kwargs)
return decorator return decorator
@app.url_defaults
def csrf_inject(endpoint, values):
if endpoint not in csrf_endpoints or not session['_csrf_token']:
return
values['_csrf_token'] = session['_csrf_token']
def evalperm(perms): def evalperm(perms):
cperms = [] cperms = []
lperms = [] lperms = []
......
...@@ -51,7 +51,7 @@ ...@@ -51,7 +51,7 @@
</div> </div>
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading"> <div class="panel-heading">
<h1 class="panel-title">Videos{% if ismod() %} <a class="btn btn-default" style="margin-right: 5px;" href="{{ url_for('create', table='lectures', time=datetime.now(), title='Noch kein Titel', visible='0', course_id=course.id, ref=request.url, _csrf_token=session['_csrf_token']) }}">Neuer Termin</a><a class="btn btn-default" style="margin-right: 5px;" href="{{url_for('import_from', id=course['id'])}}">Campus Import</a>{% endif %} <a class="fa fa-rss-square pull-right" aria-hidden="true" href="{{url_for('feed', handle=course.handle)}}" style="text-decoration: none"></a> </h1> <h1 class="panel-title">Videos{% if ismod() %} <a class="btn btn-default" style="margin-right: 5px;" href="{{ url_for('create', table='lectures', time=datetime.now(), title='Noch kein Titel', visible='0', course_id=course.id, ref=request.url) }}">Neuer Termin</a><a class="btn btn-default" style="margin-right: 5px;" href="{{url_for('import_from', id=course['id'])}}">Campus Import</a>{% endif %} <a class="fa fa-rss-square pull-right" aria-hidden="true" href="{{url_for('feed', handle=course.handle)}}" style="text-decoration: none"></a> </h1>
</div> </div>
<ul class="list-group lectureslist"> <ul class="list-group lectureslist">
{% for l in lectures %} {% for l in lectures %}
......
...@@ -9,7 +9,7 @@ ...@@ -9,7 +9,7 @@
</li> </li>
{% if ismod() %} {% if ismod() %}
<li> <li>
<a class="btn btn-default" href="{{ url_for('create', table='courses', handle='new'+(randint(0,1000)|string), title='Neue Veranstaltung', responsible=session.user.givenName, ref=request.url, _csrf_token=session['_csrf_token']) }}">Neue Veranstaltung</a> <a class="btn btn-default" href="{{ url_for('create', table='courses', handle='new'+(randint(0,1000)|string), title='Neue Veranstaltung', responsible=session.user.givenName, ref=request.url) }}">Neue Veranstaltung</a>
</li> </li>
{% endif %} {% endif %}
<li class="dropdown" style="padding-right: 0px"> <li class="dropdown" style="padding-right: 0px">
......
...@@ -54,7 +54,7 @@ ...@@ -54,7 +54,7 @@
<div class="col-xs-12"> <div class="col-xs-12">
<ul class="list-inline pull-right"> <ul class="list-inline pull-right">
<li style="padding-right: 0px;"> <li style="padding-right: 0px;">
<a class="btn btn-default" href="{{ url_for('create', table='announcements', text='Neue Ankündigung', time_publish=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0), time_expire=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)+timedelta(days=7), ref=request.url, _csrf_token=session['_csrf_token']) }}">Neue Ankündigung</a> <a class="btn btn-default" href="{{ url_for('create', table='announcements', text='Neue Ankündigung', time_publish=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0), time_expire=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)+timedelta(days=7), ref=request.url) }}">Neue Ankündigung</a>
</li> </li>
</ul> </ul>
</div> </div>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment