From patchwork Thu Jun 24 16:38:06 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John 'Warthog9' Hawley <warthog9@kernel.org>
X-Patchwork-Id: 56873
Return-Path: 
 <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bilbo.ozlabs.org (localhost [127.0.0.1])
	by ozlabs.org (Postfix) with ESMTP id B1CDFB70C3
	for <incoming@patchwork.ozlabs.org>;
	Fri, 25 Jun 2010 10:13:39 +1000 (EST)
Received: from shards.monkeyblade.net (shards.monkeyblade.net
	[198.137.202.13])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 7BDFFB6F15
	for <patchwork@lists.ozlabs.org>;
	Fri, 25 Jun 2010 02:57:12 +1000 (EST)
Received: from localhost.localdomain (c-71-202-185-40.hsd1.ca.comcast.net
	[71.202.185.40]) (authenticated bits=0)
	by shards.monkeyblade.net (8.14.4/8.14.3) with ESMTP id
	o5OGc7P0001761
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 24 Jun 2010 09:38:10 -0700
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.95.3 at shards.monkeyblade.net
From: "John 'Warthog9' Hawley" <warthog9@kernel.org>
To: patchwork@lists.ozlabs.org
Subject: [PATCH 1/1] templates: Add CSRF (cross-site request forgery) values
	to form posts
Date: Thu, 24 Jun 2010 09:38:06 -0700
Message-Id: <1277397486-17239-2-git-send-email-warthog9@kernel.org>
X-Mailer: git-send-email 1.6.6.1
In-Reply-To: <1277397486-17239-1-git-send-email-warthog9@kernel.org>
References: <1277397486-17239-1-git-send-email-warthog9@kernel.org>
MIME-Version: 1.0
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3
	(shards.monkeyblade.net [198.137.202.13]);
	Thu, 24 Jun 2010 09:38:10 -0700 (PDT)
X-Mailman-Approved-At: Fri, 25 Jun 2010 10:13:37 +1000
Cc: John 'Warthog9' Hawley <warthog9@kernel.org>
X-BeenThere: patchwork@lists.ozlabs.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Patchwork development <patchwork.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/patchwork>,
	<mailto:patchwork-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/patchwork>
List-Post: <mailto:patchwork@lists.ozlabs.org>
List-Help: <mailto:patchwork-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/patchwork>,
	<mailto:patchwork-request@lists.ozlabs.org?subject=subscribe>
Sender: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org

This is a fairly simple patch, basically it does what the error message
told me to do:
"add In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL."

Signed-off-by: John 'Warthog9' Hawley <warthog9@kernel.org>
---
 templates/patchwork/bundle.html               |    1 +
 templates/patchwork/bundles.html              |    1 +
 templates/patchwork/patch-form.html           |    4 ++++
 templates/patchwork/patch-list.html           |    2 ++
 templates/patchwork/patch.html                |    5 +++++
 templates/patchwork/patchlist.html            |    1 +
 templates/patchwork/profile.html              |    3 +++
 templates/patchwork/user-link.html            |    1 +
 templates/registration/login.html             |    1 +
 templates/registration/registration_form.html |    1 +
 10 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/templates/patchwork/bundle.html b/templates/patchwork/bundle.html
index 616a62e..a2933d5 100644
--- a/templates/patchwork/bundle.html
+++ b/templates/patchwork/bundle.html
@@ -26,6 +26,7 @@ project.</p>
 
 
 <form method="post">
+ {% csrf_token %}
  <input type="hidden" name="form" value="bundle"/>
 <table class="form">
 
diff --git a/templates/patchwork/bundles.html b/templates/patchwork/bundles.html
index 95029c1..5340a64 100644
--- a/templates/patchwork/bundles.html
+++ b/templates/patchwork/bundles.html
@@ -33,6 +33,7 @@
   <td style="text-align: center;">
    <form method="post"
     onsubmit="return confirm_delete('bundle', '{{bundle.name|escapejs}}');">
+    {% csrf_token %}
     {{ bundle.delete_form.as_p }}
     <input type="image"
      src="/images/16-em-cross.png" width="16" height="16" alt="delete"
diff --git a/templates/patchwork/patch-form.html b/templates/patchwork/patch-form.html
index 9d2c954..aae673a 100644
--- a/templates/patchwork/patch-form.html
+++ b/templates/patchwork/patch-form.html
@@ -32,6 +32,7 @@
      <td>
       <form action="{% url patchwork.views.patch patch=patch.id %}"
        method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="act"/>
        <input type="submit" value="Ack"/>
       </form>
@@ -44,6 +45,7 @@
        <span class="errors">{{createbundleform.errors}}</span>
        {% endif %}
       <form method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="createbundle"/>
         {{ createbundleform.name }}
        <input value="Create" type="submit"/>
@@ -55,6 +57,7 @@
      <td>Add to bundle:</td>
      <td>
       <form action="{% url patchwork.views.bundle.setbundle %}" method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="add"/>
        <input type="hidden" name="patch_id" value="{{ patch.id }}"/>
        <select name="name"/>
@@ -71,6 +74,7 @@
      <td>Archive:</td>
      <td>
       <form method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="archive"/>
        <input type="submit" value="Archive"/>
       </form>
diff --git a/templates/patchwork/patch-list.html b/templates/patchwork/patch-list.html
index d4dd325..f2b89a9 100644
--- a/templates/patchwork/patch-list.html
+++ b/templates/patchwork/patch-list.html
@@ -12,6 +12,7 @@
  {% if order.editable %}
   <td class="patchlistreorder">
    <form method="post" id="reorderform">
+    {% csrf_token %}
     <input type="hidden" name="form" value="reorderform"/>
     <input type="hidden" name="order_start" value="0"/>
     <span id="reorderhelp"></span>
@@ -33,6 +34,7 @@
 {% endif %}
 
 <form method="post">
+{% csrf_token %}
 <input type="hidden" name="form" value="patchlistform"/>
 <input type="hidden" name="project" value="{{project.id}}"/>
 <table class="patchlist" id="patchlist">
diff --git a/templates/patchwork/patch.html b/templates/patchwork/patch.html
index 7c249ec..c716a33 100644
--- a/templates/patchwork/patch.html
+++ b/templates/patchwork/patch.html
@@ -87,6 +87,7 @@ function toggle_headers(link_id, headers_id)
  <div class="patchform patchform-properties">
   <h3>Patch Properties</h3>
    <form method="post">
+    {% csrf_token %}
     <table class="form">
      <tr>
       <th>Change state:</th>
@@ -130,6 +131,7 @@ function toggle_headers(link_id, headers_id)
      <td>
       <form action="{% url patchwork.views.patch.patch patch_id=patch.id %}"
        method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="act"/>
        <input type="submit" value="Ack"/>
       </form>
@@ -143,6 +145,7 @@ function toggle_headers(link_id, headers_id)
        <dd class="errors">{{createbundleform.non_field_errors}}</dd>
        {% endif %}
       <form method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="createbundle"/>
        {% if createbundleform.name.errors %}
        <dd class="errors">{{createbundleform.name.errors}}</dd>
@@ -157,6 +160,7 @@ function toggle_headers(link_id, headers_id)
      <td>Add to bundle:</td>
      <td>
       <form method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="addtobundle"/>
        <select name="bundle_id"/>
         {% for bundle in bundles %}
@@ -183,6 +187,7 @@ function toggle_headers(link_id, headers_id)
      <td>
       <form action="{% url patchwork.views.patch.patch patch_id=patch.id %}"
        method="post">
+       {% csrf_token %}
        <input type="hidden" name="action" value="act"/>
        <input type="submit" value="Ack"/>
       </form>
diff --git a/templates/patchwork/patchlist.html b/templates/patchwork/patchlist.html
index 1bcd2c1..d6709cd 100644
--- a/templates/patchwork/patchlist.html
+++ b/templates/patchwork/patchlist.html
@@ -3,6 +3,7 @@
 
 {% if patches %}
 <form method="post">
+{% csrf_token %}
 <table class="patchlist">
  <tr>
   {% if patchform %}
diff --git a/templates/patchwork/profile.html b/templates/patchwork/profile.html
index c204183..e2d0b90 100644
--- a/templates/patchwork/profile.html
+++ b/templates/patchwork/profile.html
@@ -59,6 +59,7 @@ address.</p>
    {% ifnotequal user.email email.email %}
    <form action="{% url patchwork.views.user.unlink person_id=email.id %}"
     method="post">
+    {% csrf_token %}
     <input type="submit" value="Unlink"/>
    </form>
     {% endifnotequal %}
@@ -68,6 +69,7 @@ address.</p>
  <tr>
   <td colspan="2">
    <form action="{% url patchwork.views.user.link %}" method="post">
+    {% csrf_token %}
     {{ linkform.email }}
     <input type="submit" value="Add"/>
    </form>
@@ -102,6 +104,7 @@ address.</p>
 <h2>Settings</h2>
 
 <form method="post">
+ {% csrf_token %}
  <table class="form">
 {{ profileform }}
   <tr>
diff --git a/templates/patchwork/user-link.html b/templates/patchwork/user-link.html
index 2ed193e..10c8ec2 100644
--- a/templates/patchwork/user-link.html
+++ b/templates/patchwork/user-link.html
@@ -22,6 +22,7 @@ you.</p>
    {% endif %}
 
    <form action="{% url patchwork.views.user.link %}" method="post">
+    {% csrf_token %}
     {{linkform.email.errors}}
     Link an email address: {{ linkform.email }}
    </form>
diff --git a/templates/registration/login.html b/templates/registration/login.html
index eef56a4..2dfc2a7 100644
--- a/templates/registration/login.html
+++ b/templates/registration/login.html
@@ -6,6 +6,7 @@
 
 {% block body %}
 <form method="post">
+{% csrf_token %}
 <table class="form loginform">
  <tr>
   <th colspan="2" class="headerrow">login</th>
diff --git a/templates/registration/registration_form.html b/templates/registration/registration_form.html
index 8938e40..e2b17c1 100644
--- a/templates/registration/registration_form.html
+++ b/templates/registration/registration_form.html
@@ -20,6 +20,7 @@
  <li>update the state of your own patches</li>
 </ul>
 <form method="post">
+{% csrf_token %}
 <table class="form registerform">
  <tr>
   <th colspan="2" class="headerrow">register</th>