[Checkins] SVN: Products.PluggableAuthService/trunk/ Add CSRF token to forms which expect it on POST.

Tres Seaver cvs-admin at zope.org
Fri Nov 16 00:54:59 UTC 2012 

Log message for revision 128304:
  Add CSRF token to forms which expect it on POST.

Changed:
  _U  Products.PluggableAuthService/trunk/
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt
  U   Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt

-=-
Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt	2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/dgpGroups.zpt	2012-11-16 00:54:59 UTC (rev 128304)
@@ -26,6 +26,8 @@
  </tr>
 
  <form action="." method="POST">
+ <input type="hidden" name="csrf_token"
+        tal:attributes="value context/@@csrf_token" />
 
  <tr class="row-hilite"
      tal:repeat="info here/listGroupInfo"
@@ -82,6 +84,8 @@
 <h3> Add a Dynamic Group </h3>
 
 <form action="manage_addGroup" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <table
 >
 
@@ -147,6 +151,8 @@
 <h3> Update Group: <span tal:replace="group_id">GROUP_ID</span> </h3>
 
 <form action="manage_updateGroup" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <input type="hidden" name="group_id" value="GROUP_ID"
        tal:attributes="value group_id" />
 <table>

Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt	2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zgGroups.zpt	2012-11-16 00:54:59 UTC (rev 128304)
@@ -29,6 +29,8 @@
  </tr>
 
  <form action="." method="POST">
+ <input type="hidden" name="csrf_token"
+        tal:attributes="value context/@@csrf_token" />
 
  <tr class="row-hilite"
      tal:repeat="info here/listGroupInfo"
@@ -84,6 +86,8 @@
 <h3> Add a Group </h3>
 
 <form action="manage_addGroup" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <table
 >
 
@@ -145,6 +149,8 @@
 </h3>
 
 <form action="manage_updateGroup" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <input type="hidden" name="group_id" value="GROUP_ID"
        tal:attributes="value group_id" />
 <table>
@@ -204,6 +210,8 @@
 
 <form action="HERE" method="POST"
       tal:attributes="action string:${here/absolute_url}/manage_groups">
+ <input type="hidden" name="csrf_token"
+        tal:attributes="value context/@@csrf_token" />
  <input type="hidden" name="group_id"
         tal:attributes="value group_id" />
  <input type="hidden" name="assign" value="1" />
@@ -236,6 +244,8 @@
                   right_is_ordered python:0;
                  "
 >
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 
 <table metal:use-macro="here/manage_twoLists/macros/two_lists">
 

Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt	2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zrRoles.zpt	2012-11-16 00:54:59 UTC (rev 128304)
@@ -32,6 +32,8 @@
  </tr>
 
  <form action="." method="POST">
+ <input type="hidden" name="csrf_token"
+        tal:attributes="value context/@@csrf_token" />
 
  <tr class="row-hilite"
      tal:repeat="info here/listRoleInfo"
@@ -87,6 +89,8 @@
 <h3> Add a Role </h3>
 
 <form action="manage_addRole" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <table
 >
 
@@ -148,6 +152,8 @@
 </h3>
 
 <form action="manage_updateRole" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <input type="hidden" name="role_id" value="ROLE_ID"
        tal:attributes="value role_id" />
 <table>
@@ -207,6 +213,8 @@
 
 <form action="HERE" method="POST"
       tal:attributes="action string:${here/absolute_url}/manage_roles">
+ <input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
  <input type="hidden" name="role_id"
         tal:attributes="value role_id" />
  <input type="hidden" name="assign" value="1" />
@@ -239,6 +247,8 @@
                   right_is_ordered python:0;
                  "
 >
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 
 <table metal:use-macro="here/manage_twoLists/macros/two_lists">
 

Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt	2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuPasswd.zpt	2012-11-16 00:54:59 UTC (rev 128304)
@@ -4,6 +4,8 @@
 <h3> Update Your Password </h3>
 
 <form action="manage_updatePassword" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <table tal:define="info here/getOwnUserInfo;
                    user_id info/user_id;
                    login_name info/login_name;

Modified: Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt
===================================================================
--- Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt	2012-11-16 00:54:58 UTC (rev 128303)
+++ Products.PluggableAuthService/trunk/Products/PluggableAuthService/plugins/www/zuUsers.zpt	2012-11-16 00:54:59 UTC (rev 128304)
@@ -27,6 +27,10 @@
  </tr>
 
  <form action="." method="POST">
+ <input type="hidden" name="csrf_token"
+        tal:attributes="value context/@@csrf_token" />
+ <input type="hidden" name="csrf_token"
+        tal:attributes="value context/@@csrf_token" />
 
  <tr class="row-hilite"
      tal:repeat="info here/listUserInfo"
@@ -74,6 +78,8 @@
 <h3> Add a User </h3>
 
 <form action="manage_addUser" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <table
 >
 
@@ -113,6 +119,8 @@
                           >(update user)</a></h3>
 
 <form action="manage_updateUserPassword" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <table>
 
  <tr valign="top">
@@ -177,6 +185,8 @@
                  >(change password)</a></h3>
 
 <form action="manage_updateUser" method="POST">
+<input type="hidden" name="csrf_token"
+       tal:attributes="value context/@@csrf_token" />
 <table>
 
  <tr valign="top">

More information about the checkins mailing list