From patchwork Thu Jun 24 16:38:06 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [1/1] templates: Add CSRF (cross-site request forgery) values to form
 posts
Date: Thu, 24 Jun 2010 06:38:06 -0000
From: John 'Warthog9' Hawley <warthog9@kernel.org>
X-Patchwork-Id: 56873
Message-Id: <1277397486-17239-2-git-send-email-warthog9@kernel.org>
To: patchwork@lists.ozlabs.org
Cc: John 'Warthog9' Hawley <warthog9@kernel.org>

This is a fairly simple patch, basically it does what the error message
told me to do:
"add In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL."

Signed-off-by: John 'Warthog9' Hawley <warthog9@kernel.org>

---
templates/patchwork/bundle.html               |    1 +
 templates/patchwork/bundles.html              |    1 +
 templates/patchwork/patch-form.html           |    4 ++++
 templates/patchwork/patch-list.html           |    2 ++
 templates/patchwork/patch.html                |    5 +++++
 templates/patchwork/patchlist.html            |    1 +
 templates/patchwork/profile.html              |    3 +++
 templates/patchwork/user-link.html            |    1 +
 templates/registration/login.html             |    1 +
 templates/registration/registration_form.html |    1 +
 10 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/templates/patchwork/bundle.html b/templates/patchwork/bundle.html
index 616a62e..a2933d5 100644
--- a/templates/patchwork/bundle.html
+++ b/templates/patchwork/bundle.html
@@ -26,6 +26,7 @@ project.</p>
 
 
 <form method="post">
+ {% csrf_token %}
  <input type="hidden" name="form" value="bundle"/>
 <table class="form">
 
diff --git a/templates/patchwork/bundles.html b/templates/patchwork/bundles.html
index 95029c1..5340a64 100644
--- a/templates/patchwork/bundles.html
+++ b/templates/patchwork/bundles.html
@@ -33,6 +33,7 @@
   <td style="text-align: center;">
    <form method="post"
     onsubmit="return confirm_delete('bundle', '{{bundle.name|escapejs}}');">
+    {% csrf_token %}
     {{ bundle.delete_form.as_p }}
     <input type="image"
      src="/images/16-em-cross.png" width="16" height="16" alt="delete"
diff --git a/templates/patchwork/patch-form.html b/templates/patchwork/patch-form.html
index 9d2c954..aae673a 100644
--- a/templates/patchwork/patch-form.html
+++ b/templates/patchwork/patch-form.html
@@ -32,6 +32,7 @@
      <td>
       <form action="{% url patchwork.views.patch patch=patch.id %}"
        method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="act"/>
        <input type="submit" value="Ack"/>
       </form>
@@ -44,6 +45,7 @@
        <span class="errors">{{createbundleform.errors}}</span>
        {% endif %}
       <form method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="createbundle"/>
         {{ createbundleform.name }}
        <input value="Create" type="submit"/>
@@ -55,6 +57,7 @@
      <td>Add to bundle:</td>
      <td>
       <form action="{% url patchwork.views.bundle.setbundle %}" method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="add"/>
        <input type="hidden" name="patch_id" value="{{ patch.id }}"/>
        <select name="name"/>
@@ -71,6 +74,7 @@
      <td>Archive:</td>
      <td>
       <form method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="archive"/>
        <input type="submit" value="Archive"/>
       </form>
diff --git a/templates/patchwork/patch-list.html b/templates/patchwork/patch-list.html
index d4dd325..f2b89a9 100644
--- a/templates/patchwork/patch-list.html
+++ b/templates/patchwork/patch-list.html
@@ -12,6 +12,7 @@
  {% if order.editable %}
   <td class="patchlistreorder">
    <form method="post" id="reorderform">
+    {% csrf_token %}
     <input type="hidden" name="form" value="reorderform"/>
     <input type="hidden" name="order_start" value="0"/>
     <span id="reorderhelp"></span>
@@ -33,6 +34,7 @@
 {% endif %}
 
 <form method="post">
+{% csrf_token %}
 <input type="hidden" name="form" value="patchlistform"/>
 <input type="hidden" name="project" value="{{project.id}}"/>
 <table class="patchlist" id="patchlist">
diff --git a/templates/patchwork/patch.html b/templates/patchwork/patch.html
index 7c249ec..c716a33 100644
--- a/templates/patchwork/patch.html
+++ b/templates/patchwork/patch.html
@@ -87,6 +87,7 @@ function toggle_headers(link_id, headers_id)
  <div class="patchform patchform-properties">
   <h3>Patch Properties</h3>
    <form method="post">
+    {% csrf_token %}
     <table class="form">
      <tr>
       <th>Change state:</th>
@@ -130,6 +131,7 @@ function toggle_headers(link_id, headers_id)
      <td>
       <form action="{% url patchwork.views.patch.patch patch_id=patch.id %}"
        method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="act"/>
        <input type="submit" value="Ack"/>
       </form>
@@ -143,6 +145,7 @@ function toggle_headers(link_id, headers_id)
        <dd class="errors">{{createbundleform.non_field_errors}}</dd>
        {% endif %}
       <form method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="createbundle"/>
        {% if createbundleform.name.errors %}
        <dd class="errors">{{createbundleform.name.errors}}</dd>
@@ -157,6 +160,7 @@ function toggle_headers(link_id, headers_id)
      <td>Add to bundle:</td>
      <td>
       <form method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="addtobundle"/>
        <select name="bundle_id"/>
         {% for bundle in bundles %}
@@ -183,6 +187,7 @@ function toggle_headers(link_id, headers_id)
      <td>
       <form action="{% url patchwork.views.patch.patch patch_id=patch.id %}"
        method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="act"/>
        <input type="submit" value="Ack"/>
       </form>
diff --git a/templates/patchwork/patchlist.html b/templates/patchwork/patchlist.html
index 1bcd2c1..d6709cd 100644
--- a/templates/patchwork/patchlist.html
+++ b/templates/patchwork/patchlist.html
@@ -3,6 +3,7 @@
 
 {% if patches %}
 <form method="post">
+{% csrf_token %}
 <table class="patchlist">
  <tr>
   {% if patchform %}
diff --git a/templates/patchwork/profile.html b/templates/patchwork/profile.html
index c204183..e2d0b90 100644
--- a/templates/patchwork/profile.html
+++ b/templates/patchwork/profile.html
@@ -59,6 +59,7 @@ address.</p>
    {% ifnotequal user.email email.email %}
    <form action="{% url patchwork.views.user.unlink person_id=email.id %}"
     method="post">
+    {% csrf_token %}
     <input type="submit" value="Unlink"/>
    </form>
     {% endifnotequal %}
@@ -68,6 +69,7 @@ address.</p>
  <tr>
   <td colspan="2">
    <form action="{% url patchwork.views.user.link %}" method="post">
+    {% csrf_token %}
     {{ linkform.email }}
     <input type="submit" value="Add"/>
    </form>
@@ -102,6 +104,7 @@ address.</p>
 <h2>Settings</h2>
 
 <form method="post">
+ {% csrf_token %}
  <table class="form">
 {{ profileform }}
   <tr>
diff --git a/templates/patchwork/user-link.html b/templates/patchwork/user-link.html
index 2ed193e..10c8ec2 100644
--- a/templates/patchwork/user-link.html
+++ b/templates/patchwork/user-link.html
@@ -22,6 +22,7 @@ you.</p>
    {% endif %}
 
    <form action="{% url patchwork.views.user.link %}" method="post">
+    {% csrf_token %}
     {{linkform.email.errors}}
     Link an email address: {{ linkform.email }}
    </form>
diff --git a/templates/registration/login.html b/templates/registration/login.html
index eef56a4..2dfc2a7 100644
--- a/templates/registration/login.html
+++ b/templates/registration/login.html
@@ -6,6 +6,7 @@
 
 {% block body %}
 <form method="post">
+{% csrf_token %}
 <table class="form loginform">
  <tr>
   <th colspan="2" class="headerrow">login</th>
diff --git a/templates/registration/registration_form.html b/templates/registration/registration_form.html
index 8938e40..e2b17c1 100644
--- a/templates/registration/registration_form.html
+++ b/templates/registration/registration_form.html
@@ -20,6 +20,7 @@
  <li>update the state of your own patches</li>
 </ul>
 <form method="post">
+{% csrf_token %}
 <table class="form registerform">
  <tr>
   <th colspan="2" class="headerrow">register</th>