Merge pull request #13 from Simple2B/svyat/fix/csrf

Svyat/fix/csrf
This commit is contained in:
Svyatoslav Artymovych 2023-04-28 16:10:35 +03:00 committed by GitHub
commit 5bdaa1e0b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 20 additions and 2 deletions

View File

@ -60,6 +60,11 @@ def create_app(environment="development"):
login_manager.login_message_category = "info"
login_manager.anonymous_user = AnonymousUser
# Jinja globals
from app.controllers.jinja_globals import form_hidden_tag
app.jinja_env.globals["form_hidden_tag"] = form_hidden_tag
# Error handlers.
@app.errorhandler(HTTPException)
def handle_http_error(exc):

View File

@ -0,0 +1,7 @@
from flask_wtf import FlaskForm
# Using: {{ form_hidden_tag() }}
def form_hidden_tag():
form = FlaskForm()
return form.hidden_tag()

View File

@ -4,7 +4,7 @@
<div class="relative w-full max-w-2xl max-h-full">
<!-- Modal content -->
<form action="{{ url_for('book.create') }}" method="post" class="relative bg-white rounded-lg shadow dark:bg-gray-700">
{{ form_hidden_tag() }}
<input type="hidden" name="user_id" id="user-edit-id" value="0" />
<input type="hidden" name="next_url" id="user-edit-next_url" value="" />
<!-- Modal header -->

View File

@ -10,6 +10,7 @@
action="{{ url_for('book.collection_create', book_id=book.id) }}"
{% endif %}
method="post" class="relative bg-white rounded-lg shadow dark:bg-gray-700">
{{ form_hidden_tag() }}
<!-- Modal header -->
<div class="flex items-start justify-between p-4 border-b rounded-t dark:border-gray-600">
<h3 class="text-xl font-semibold text-gray-900 dark:text-white"> Add {% if collection %}Sub {% endif %}Collection </h3>

View File

@ -4,7 +4,7 @@
<div class="relative w-full max-w-2xl max-h-full">
<!-- Modal content -->
<form action="{{ url_for('book.add_contributor', book_id=book.id) }}" method="post" class="relative bg-white rounded-lg shadow dark:bg-gray-700">
{{ form_hidden_tag() }}
<input type="hidden" name="user_id" id="user_id" value="0" />
<input type="hidden" name="" id="user-edit-next_url" value="" />
<!-- Modal header -->

View File

@ -10,6 +10,7 @@
action="{{ url_for('book.collection_delete', book_id=book.id, collection_id=collection.id) }}"
{% endif %}
method="post" class="relative bg-white rounded-lg shadow dark:bg-gray-700">
{{ form_hidden_tag() }}
<!-- Modal header -->
<div class="flex items-start justify-between p-4 border-b rounded-t dark:border-gray-600">
<h3 class="text-xl font-semibold text-gray-900 dark:text-white"> Delete Collection </h3>

View File

@ -10,6 +10,7 @@
action="{{ url_for('book.collection_edit', book_id=book.id, collection_id=collection.id) }}"
{% endif %}
method="post" class="relative bg-white rounded-lg shadow dark:bg-gray-700">
{{ form_hidden_tag() }}
<!-- Modal header -->
<div class="flex items-start justify-between p-4 border-b rounded-t dark:border-gray-600">
<h3 class="text-xl font-semibold text-gray-900 dark:text-white"> Edit Collection </h3>

View File

@ -35,6 +35,7 @@
<td class="px-6 py-4">{{ contributor.user.username }}</td>
<td class="px-6 py-4">
<form action="{{ url_for('book.edit_contributor_role', book_id=book.id) }}" method="post" class="mb-0 flex space-x-2">
{{ form_hidden_tag() }}
<input type="hidden" name="user_id" id="user_id" value="{{ contributor.user_id }}" />
<select
id="role"
@ -57,6 +58,7 @@
<td class="px-6 py-4">
<!-- prettier-ignore -->
<form action="{{ url_for('book.delete_contributor', book_id=book.id) }}" method="post" class="mb-0">
{{ form_hidden_tag() }}
<input type="hidden" name="user_id" id="user_id" value="{{ contributor.user_id }}" />
<button type="submit" class="text-white bg-red-700 hover:bg-red-800 focus:ring-4 focus:ring-red-300 font-sm rounded-lg text-sm px-5 py-1.5 dark:bg-red-600 dark:hover:bg-red-700 focus:outline-none dark:focus:ring-red-800">Delete</button>

View File

@ -4,6 +4,7 @@
<div class="relative w-full max-w-2xl max-h-full">
<!-- Modal content -->
<form action="{{url_for('user.create')}}" method="post" class="relative bg-white rounded-lg shadow dark:bg-gray-700">
{{ form_hidden_tag() }}
<!-- Modal header -->
<div class="flex items-start justify-between p-4 border-b rounded-t dark:border-gray-600">
<h3 class="text-xl font-semibold text-gray-900 dark:text-white"> Add new user </h3>