[allura:tickets] #5475 Move CSRF token insertion from JS to easywidgets

Tue, 12 Nov 2013 09:36:02 -0800 

Please also check all usage of `SimpleForm` and see if you can find any where 
_session_id doesn't come through.  I think those may be missing that hidden 
field, but in some quick testing I couldn't find one.

I did find one in our internal forge-classic repo, which demonstrates what can 
happen.  I tried the following, which I think should work, but for some reason 
the value doesn't get rendered in the HTML.

~~~~
--- sfx/widgets.py
+++ sfx/widgets.py
@@ -1,4 +1,5 @@
 from pylons import tmpl_context as c
+from tg import request
 import formencode
 from formencode import validators as fev
 from formencode import schema as fes
@@ -58,8 +59,12 @@ class _MailingListRow(ew.RowField):
 class ListAdmin(ew.SimpleForm):
     submit_text = 'Save'
 
-    class fields(ew_core.NameList):
-        lists = ew.TableField(field=_MailingListRow())
+    @property
+    def fields(self):
+        return [
+            ew.TableField(name='lists', field=_MailingListRow()),
+            ew.HiddenField(name='_session_id', 
value=request.cookies['_session_id']),
+        ]
~~~~


---

** [tickets:#5475] Move CSRF token insertion from JS to easywidgets**

**Status:** in-progress
**Labels:** p3 support 42cc 
**Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen
**Last Updated:** Tue Nov 12, 2013 04:51 PM UTC
**Owner:** nobody

Standard forms across on Allura have a `_session_id` field inserted by JS.  
AJAX forms insert it themselves.  This is for CSRF protection.

For the standard forms, we can make them work without JS by inserting the field 
server-side instead of client-side.  The `ForgeForm` class seems like a useful 
place to do this.  Other manually-constructed forms (e.g. I know ForgeImporter 
templates have some, others are around too probably) will need it in the jinja 
template.  A one-line macro seems like a good way to handle that.

AJAX forms can stay as-is, they use JS already anyway.


---

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed 
to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at 
https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a 
mailing list, you can unsubscribe from the mailing list.

Reply via email to