Commit 59c1e26c authored by Julian Rother's avatar Julian Rother
Browse files

Integrated csrf tokens into url_for (fixes #109)

parent 01a9a386
......@@ -71,7 +71,10 @@ def mod_required(func):
return func(*args, **kwargs)
return decorator
csrf_endpoints = []
def csrf_protect(func):
csrf_endpoints.append(func.__name__)
@wraps(func)
def decorator(*args, **kwargs):
if '_csrf_token' in request.values:
......@@ -79,13 +82,19 @@ def csrf_protect(func):
elif request.get_json() and ('_csrf_token' in request.get_json()):
token = request.get_json()['_csrf_token']
else:
token = none
token = None
if not ('_csrf_token' in session) or (session['_csrf_token'] != token ) or not token:
return 'csrf test failed', 403
else:
return func(*args, **kwargs)
return decorator
@app.url_defaults
def csrf_inject(endpoint, values):
if endpoint not in csrf_endpoints or not session['_csrf_token']:
return
values['_csrf_token'] = session['_csrf_token']
def evalperm(perms):
cperms = []
lperms = []
......
......@@ -51,7 +51,7 @@
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h1 class="panel-title">Videos{% if ismod() %} <a class="btn btn-default" style="margin-right: 5px;" href="{{ url_for('create', table='lectures', time=datetime.now(), title='Noch kein Titel', visible='0', course_id=course.id, ref=request.url, _csrf_token=session['_csrf_token']) }}">Neuer Termin</a><a class="btn btn-default" style="margin-right: 5px;" href="{{url_for('import_from', id=course['id'])}}">Campus Import</a>{% endif %} <a class="fa fa-rss-square pull-right" aria-hidden="true" href="{{url_for('feed', handle=course.handle)}}" style="text-decoration: none"></a> </h1>
<h1 class="panel-title">Videos{% if ismod() %} <a class="btn btn-default" style="margin-right: 5px;" href="{{ url_for('create', table='lectures', time=datetime.now(), title='Noch kein Titel', visible='0', course_id=course.id, ref=request.url) }}">Neuer Termin</a><a class="btn btn-default" style="margin-right: 5px;" href="{{url_for('import_from', id=course['id'])}}">Campus Import</a>{% endif %} <a class="fa fa-rss-square pull-right" aria-hidden="true" href="{{url_for('feed', handle=course.handle)}}" style="text-decoration: none"></a> </h1>
</div>
<ul class="list-group lectureslist">
{% for l in lectures %}
......
......@@ -9,7 +9,7 @@
</li>
{% if ismod() %}
<li>
<a class="btn btn-default" href="{{ url_for('create', table='courses', handle='new'+(randint(0,1000)|string), title='Neue Veranstaltung', responsible=session.user.givenName, ref=request.url, _csrf_token=session['_csrf_token']) }}">Neue Veranstaltung</a>
<a class="btn btn-default" href="{{ url_for('create', table='courses', handle='new'+(randint(0,1000)|string), title='Neue Veranstaltung', responsible=session.user.givenName, ref=request.url) }}">Neue Veranstaltung</a>
</li>
{% endif %}
<li class="dropdown" style="padding-right: 0px">
......
......@@ -54,7 +54,7 @@
<div class="col-xs-12">
<ul class="list-inline pull-right">
<li style="padding-right: 0px;">
<a class="btn btn-default" href="{{ url_for('create', table='announcements', text='Neue Ankündigung', time_publish=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0), time_expire=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)+timedelta(days=7), ref=request.url, _csrf_token=session['_csrf_token']) }}">Neue Ankündigung</a>
<a class="btn btn-default" href="{{ url_for('create', table='announcements', text='Neue Ankündigung', time_publish=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0), time_expire=datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)+timedelta(days=7), ref=request.url) }}">Neue Ankündigung</a>
</li>
</ul>
</div>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment