From: Eevee Date: Mon, 8 Nov 2010 07:29:02 +0000 (-0800) Subject: CSRF protection. #361 X-Git-Tag: veekun-promotions/2010112001~1 X-Git-Url: http://git.veekun.com/zzz-spline-forum.git/commitdiff_plain/d47c5a09afdbf248108b4ccfb3432060716fb0f0 CSRF protection. #361 --- diff --git a/splinext/forum/__init__.py b/splinext/forum/__init__.py index 974e29e..806795a 100644 --- a/splinext/forum/__init__.py +++ b/splinext/forum/__init__.py @@ -9,14 +9,17 @@ import splinext.forum.controllers.forum def add_routes_hook(map, *args, **kwargs): """Hook to inject some of our behavior into the routes configuration.""" + require_GET = dict(conditions=dict(method=['GET'])) require_POST = dict(conditions=dict(method=['POST'])) map.connect('/forums', controller='forum', action='forums') map.connect(r'/forums/{forum_id:\d+}', controller='forum', action='threads') map.connect(r'/forums/{forum_id:\d+}/threads/{thread_id:\d+}', controller='forum', action='posts') - map.connect(r'/forums/{forum_id:\d+}/write', controller='forum', action='write_thread') - map.connect(r'/forums/{forum_id:\d+}/threads/{thread_id:\d+}/write', controller='forum', action='write') + map.connect(r'/forums/{forum_id:\d+}/write', controller='forum', action='write_thread', **require_GET) + map.connect(r'/forums/{forum_id:\d+}/write', controller='forum', action='write_thread_commit', **require_POST) + map.connect(r'/forums/{forum_id:\d+}/threads/{thread_id:\d+}/write', controller='forum', action='write', **require_GET) + map.connect(r'/forums/{forum_id:\d+}/threads/{thread_id:\d+}/write', controller='forum', action='write_commit', **require_POST) class ForumPlugin(PluginBase): diff --git a/splinext/forum/controllers/forum.py b/splinext/forum/controllers/forum.py index 5b5ecf9..f2eb476 100644 --- a/splinext/forum/controllers/forum.py +++ b/splinext/forum/controllers/forum.py @@ -4,6 +4,7 @@ import math from pylons import cache, config, request, response, session, tmpl_context as c, url from pylons.controllers.util import abort, redirect +from pylons.decorators.secure import authenticate_form from routes import request_config from sqlalchemy.orm import joinedload from sqlalchemy.orm.exc import NoResultFound @@ -200,11 +201,25 @@ class ForumController(BaseController): abort(404) c.write_thread_form = WriteThreadForm(request.params) + return render('/forum/write_thread.mako') - if request.method != 'POST' or not c.write_thread_form.validate(): - # Failure or initial request; show the form - return render('/forum/write_thread.mako') + @authenticate_form + def write_thread_commit(self, forum_id): + """Posts a new thread.""" + if not c.user.can('forum:create-thread'): + abort(403) + + try: + c.forum = meta.Session.query(forum_model.Forum) \ + .filter_by(id=forum_id).one() + except NoResultFound: + abort(404) + c.write_thread_form = WriteThreadForm(request.params) + + # Reshow the form on failure + if not c.write_thread_form.validate(): + return render('/forum/write_thread.mako') # Otherwise, add the post. c.forum = meta.Session.query(forum_model.Forum) \ @@ -249,11 +264,25 @@ class ForumController(BaseController): abort(404) c.write_post_form = WritePostForm(request.params) + return render('/forum/write.mako') - if request.method != 'POST' or not c.write_post_form.validate(): - # Failure or initial request; show the form - return render('/forum/write.mako') + @authenticate_form + def write_commit(self, forum_id, thread_id): + """Post to a thread.""" + if not c.user.can('forum:create-post'): + abort(403) + + try: + c.thread = meta.Session.query(forum_model.Thread) \ + .filter_by(id=thread_id, forum_id=forum_id).one() + except NoResultFound: + abort(404) + c.write_post_form = WritePostForm(request.params) + + # Reshow the form on failure + if not c.write_post_form.validate(): + return render('/forum/write.mako') # Otherwise, add the post. c.thread = meta.Session.query(forum_model.Thread) \ diff --git a/splinext/forum/templates/forum/lib.mako b/splinext/forum/templates/forum/lib.mako index c82a8b2..71d0d64 100644 --- a/splinext/forum/templates/forum/lib.mako +++ b/splinext/forum/templates/forum/lib.mako @@ -69,7 +69,7 @@ <%def name="write_thread_form(forum)"> % if forum.can_create_thread(c.user):

Create new thread

-${h.form(url(controller='forum', action='write_thread', forum_id=forum.id))} +${h.secure_form(url(controller='forum', action='write_thread_commit', forum_id=forum.id))}
${lib.field('subject', form=c.write_thread_form)} ${lib.field('content', form=c.write_thread_form, rows=12, cols=80)} @@ -83,7 +83,7 @@ ${h.end_form()} <%def name="write_post_form(thread)"> % if thread.can_create_post(c.user):

Reply

-${h.form(url(controller='forum', action='write', forum_id=thread.forum.id, thread_id=thread.id))} +${h.secure_form(url(controller='forum', action='write_commit', forum_id=thread.forum.id, thread_id=thread.id))}
${lib.field('content', form=c.write_post_form, rows=12, cols=80)}