[Checkins] SVN: Products.PluggableAuthService/trunk/ Add CSRF token to forms which expect it on POST.
Tres Seaver
cvs-admin at zope.org
Fri Nov 16 00:54:59 UTC 2012
Log message for revision 128304:
Add CSRF token to forms which expect it on POST.
Changed:
_U Products.PluggableAuthService/trunk/
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt
U Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt
-=-
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt 2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt 2012-11-16 00:54:59 UTC (rev 128304)
@@ -26,6 +26,8 @@
</tr>
<form action="." method="POST">
+ <input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<tr class="row-hilite"
tal:repeat="info here/listGroupInfo"
@@ -82,6 +84,8 @@
<h3> Add a Dynamic Group </h3>
<form action="manage_addGroup" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table
>
@@ -147,6 +151,8 @@
<h3> Update Group: <span tal:replace="group_id">GROUP_ID</span> </h3>
<form action="manage_updateGroup" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<input type="hidden" name="group_id" value="GROUP_ID"
tal:attributes="value group_id" />
<table>
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt 2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt 2012-11-16 00:54:59 UTC (rev 128304)
@@ -29,6 +29,8 @@
</tr>
<form action="." method="POST">
+ <input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<tr class="row-hilite"
tal:repeat="info here/listGroupInfo"
@@ -84,6 +86,8 @@
<h3> Add a Group </h3>
<form action="manage_addGroup" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table
>
@@ -145,6 +149,8 @@
</h3>
<form action="manage_updateGroup" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<input type="hidden" name="group_id" value="GROUP_ID"
tal:attributes="value group_id" />
<table>
@@ -204,6 +210,8 @@
<form action="HERE" method="POST"
tal:attributes="action string:${here/absolute_url}/manage_groups">
+ <input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<input type="hidden" name="group_id"
tal:attributes="value group_id" />
<input type="hidden" name="assign" value="1" />
@@ -236,6 +244,8 @@
right_is_ordered python:0;
"
>
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table metal:use-macro="here/manage_twoLists/macros/two_lists">
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt 2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt 2012-11-16 00:54:59 UTC (rev 128304)
@@ -32,6 +32,8 @@
</tr>
<form action="." method="POST">
+ <input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<tr class="row-hilite"
tal:repeat="info here/listRoleInfo"
@@ -87,6 +89,8 @@
<h3> Add a Role </h3>
<form action="manage_addRole" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table
>
@@ -148,6 +152,8 @@
</h3>
<form action="manage_updateRole" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<input type="hidden" name="role_id" value="ROLE_ID"
tal:attributes="value role_id" />
<table>
@@ -207,6 +213,8 @@
<form action="HERE" method="POST"
tal:attributes="action string:${here/absolute_url}/manage_roles">
+ <input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<input type="hidden" name="role_id"
tal:attributes="value role_id" />
<input type="hidden" name="assign" value="1" />
@@ -239,6 +247,8 @@
right_is_ordered python:0;
"
>
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table metal:use-macro="here/manage_twoLists/macros/two_lists">
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt 2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt 2012-11-16 00:54:59 UTC (rev 128304)
@@ -4,6 +4,8 @@
<h3> Update Your Password </h3>
<form action="manage_updatePassword" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table tal:define="info here/getOwnUserInfo;
user_id info/user_id;
login_name info/login_name;
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt 2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt 2012-11-16 00:54:59 UTC (rev 128304)
@@ -27,6 +27,10 @@
</tr>
<form action="." method="POST">
+ <input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
+ <input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<tr class="row-hilite"
tal:repeat="info here/listUserInfo"
@@ -74,6 +78,8 @@
<h3> Add a User </h3>
<form action="manage_addUser" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table
>
@@ -113,6 +119,8 @@
>(update user)</a></h3>
<form action="manage_updateUserPassword" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table>
<tr valign="top">
@@ -177,6 +185,8 @@
>(change password)</a></h3>
<form action="manage_updateUser" method="POST">
+<input type="hidden" name="csrf_token"
+ tal:attributes="value context/@@csrf_token" />
<table>
<tr valign="top">
More information about the checkins
mailing list