This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git
The following commit(s) were added to refs/heads/master by this push:
new a158f3c04 Change _session_id cookie for _csrf_token
a158f3c04 is described below
commit a158f3c04510d77454622304d313665824f3ab0c
Author: Daniel Castillo <[email protected]>
AuthorDate: Wed Apr 16 21:15:51 2025 +0000
Change _session_id cookie for _csrf_token
---
Allura/allura/config/middleware.py | 2 +-
.../allura/ext/admin/templates/project_trove.html | 12 +-
Allura/allura/lib/widgets/forms.py | 6 +-
Allura/allura/lib/widgets/resources/js/post.js | 6 +-
.../allura/lib/widgets/resources/js/reactions.js | 2 +-
.../allura/lib/widgets/resources/js/screenshots.js | 2 +-
.../allura/lib/widgets/resources/js/sf_markitup.js | 4 +-
.../lib/widgets/resources/js/subscriptions.js | 4 +-
Allura/allura/lib/widgets/resources/js/vote.js | 4 +-
Allura/allura/public/nf/js/admin_modal.js | 6 +-
Allura/allura/public/nf/js/allura-base.js | 2 +-
Allura/allura/public/nf/js/navbar.es6.js | 6 +-
Allura/allura/public/nf/js/phone-verification.js | 4 +-
Allura/allura/public/nf/js/project_groups.js | 12 +-
.../allura/templates/app_admin_webhooks_list.html | 4 +-
Allura/allura/templates/jinja_master/lib.html | 4 +-
.../site_admin_site_notifications_list.html | 2 +-
Allura/allura/templates/widgets/vote.html | 2 +-
Allura/allura/tests/functional/test_auth.py | 202 ++++++++++-----------
AlluraTest/alluratest/validation.py | 2 +-
.../forgeactivity/nf/activity/js/activity.js | 2 +-
.../forgeactivity/widgets/resources/js/follow.js | 2 +-
.../forgeblog/templates/blog/post_history.html | 4 +-
ForgeChat/forgechat/tests/functional/test_root.py | 2 +-
.../forgefeedback/templates/feedback/index.html | 4 +-
ForgeFiles/forgefiles/nf/files/js/files.js | 8 +-
ForgeSVN/forgesvn/templates/svn/checkout_url.html | 4 +-
ForgeShortUrl/forgeshorturl/templates/index.html | 4 +-
.../forgetracker/templates/tracker/ticket.html | 8 +-
ForgeUserStats/forgeuserstats/tests/test_stats.py | 2 +-
ForgeWiki/forgewiki/templates/wiki/master.html | 4 +-
ForgeWiki/forgewiki/templates/wiki/page_edit.html | 2 +-
ForgeWiki/forgewiki/wiki_main.py | 4 +-
scripts/ApacheAccessHandler.py | 12 +-
34 files changed, 175 insertions(+), 175 deletions(-)
diff --git a/Allura/allura/config/middleware.py
b/Allura/allura/config/middleware.py
index 19c8e3e3b..360eb44d3 100644
--- a/Allura/allura/config/middleware.py
+++ b/Allura/allura/config/middleware.py
@@ -153,7 +153,7 @@ def _make_core_app(root, global_conf: dict, **app_conf):
app = AlluraTimerMiddleware(app, app_conf)
# Clear cookies when the CSRF field isn't posted
if not app_conf.get('disable_csrf_protection'):
- app = CSRFMiddleware(app, '_session_id')
+ app = CSRFMiddleware(app, '_csrf_token')
if asbool(config.get('cors.enabled', False)):
# Handle CORS requests
allowed_methods = aslist(config.get('cors.methods'))
diff --git a/Allura/allura/ext/admin/templates/project_trove.html
b/Allura/allura/ext/admin/templates/project_trove.html
index 1fbff6e95..91368bc73 100644
--- a/Allura/allura/ext/admin/templates/project_trove.html
+++ b/Allura/allura/ext/admin/templates/project_trove.html
@@ -110,9 +110,9 @@
var chosen_opts = {search_contains:true};
$('.trove_add_container form:visible select').chosen(chosen_opts);
- function add_trove(session_id, type, new_id) {
+ function add_trove(_csrf_token, type, new_id) {
$.post('add_trove_js',{
- _session_id:session_id,
+ _csrf_token:_csrf_token,
type:type,
new_trove:new_id},function(resp){
if(resp.error_msg){
@@ -140,14 +140,14 @@
});
}
- var session_id = $('input[name=_session_id]').val();
+ var _csrf_token = $('input[name=_csrf_token]').val();
var del_btn = '<a href="#" class="del_btn" title="Delete"><b
data-icon="{{g.icons["delete"].char}}" class="ico
{{g.icons["delete"].css}}"></b></a>';
$('form.trove_adder').submit(function(evt){
evt.preventDefault();
var $this = $(this);
var type = $this.find('input[name=type]').val();
var new_id = $this.find('select').last().val();
- add_trove(session_id, type, new_id);
+ add_trove(_csrf_token, type, new_id);
});
$('form.trove_deleter').each(function(){
$(this).find('input[type="submit"]').remove();
@@ -158,7 +158,7 @@
var $form = $(this).closest('form');
var type = $form.find('input[name="type"]').val();
$.post('delete_trove',{
- _session_id:session_id,
+ _csrf_token:_csrf_token,
type:type,
trove:$form.find('input[name="trove"]').val()},function(){
$form.closest('div').remove();
@@ -178,7 +178,7 @@
e.preventDefault();
var type = $(this).data('trove');
var new_id = $(this).data('id');
- add_trove(session_id, type, new_id);
+ add_trove(_csrf_token, type, new_id);
})
});
</script>
diff --git a/Allura/allura/lib/widgets/forms.py
b/Allura/allura/lib/widgets/forms.py
index cc3744feb..51e42a55f 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -1110,12 +1110,12 @@ class CsrfForm(ew.SimpleForm):
@property
def hidden_fields(self):
- return [ew.HiddenField(name='_session_id')]
+ return [ew.HiddenField(name='_csrf_token')]
def context_for(self, field):
ctx = super().context_for(field)
- if field.name == '_session_id':
- ctx['value'] = tg.request.cookies.get('_session_id') or
tg.request.environ['_session_id']
+ if field.name == '_csrf_token':
+ ctx['value'] = tg.request.cookies.get('_csrf_token') or
tg.request.environ['_csrf_token']
return ctx
diff --git a/Allura/allura/lib/widgets/resources/js/post.js
b/Allura/allura/lib/widgets/resources/js/post.js
index d23c6af9c..79b2962bf 100644
--- a/Allura/allura/lib/widgets/resources/js/post.js
+++ b/Allura/allura/lib/widgets/resources/js/post.js
@@ -61,14 +61,14 @@
$('.spam-all-block', post).click(function(e) {
e.preventDefault();
var $this = $(this);
- var cval = $.cookie('_session_id');
+ var cval = $.cookie('_csrf_token');
$.ajax({
type: 'POST',
url: $this.attr('data-admin-url') + '/block_user',
data: {
username: $this.attr('data-user'),
perm: 'post',
- '_session_id': cval
+ '_csrf_token': cval
},
success: function (data, textStatus, jqxhr) {
if (data.error) {
@@ -77,7 +77,7 @@
flash('User blocked', 'success');
// full page form submit
$('<form method="POST" action="' +
escape_html($this.data('discussion-url'))+'moderate/save_moderation_bulk_user?username='
+ escape_html($this.attr('data-user')) + '&spam=1">' +
- '<input name="_session_id" type="hidden"
value="'+escape_html(cval)+'"></form>')
+ '<input name="_csrf_token" type="hidden"
value="'+escape_html(cval)+'"></form>')
.appendTo('body')
.submit();
} else {
diff --git a/Allura/allura/lib/widgets/resources/js/reactions.js
b/Allura/allura/lib/widgets/resources/js/reactions.js
index c0fe90706..a1f3db92f 100644
--- a/Allura/allura/lib/widgets/resources/js/reactions.js
+++ b/Allura/allura/lib/widgets/resources/js/reactions.js
@@ -91,7 +91,7 @@ function reactComment(btn, r) {
url: btn.data('commentlink') + 'post_reaction',
data: {
'r': r,
- '_session_id': $.cookie('_session_id')
+ '_csrf_token': $.cookie('_csrf_token')
},
success: function (res) {
var react_html = '';
diff --git a/Allura/allura/lib/widgets/resources/js/screenshots.js
b/Allura/allura/lib/widgets/resources/js/screenshots.js
index 533d3dcf3..eedfa4d69 100644
--- a/Allura/allura/lib/widgets/resources/js/screenshots.js
+++ b/Allura/allura/lib/widgets/resources/js/screenshots.js
@@ -18,7 +18,7 @@
*/
$(function() {
var updateSortOrder = function (e) {
- var params = {'_session_id': $.cookie('_session_id')};
+ var params = {'_csrf_token': $.cookie('_csrf_token')};
$(e.to).find('.screenshot').each(function (i) {
params[$(this).data('ss-id')] = i;
});
diff --git a/Allura/allura/lib/widgets/resources/js/sf_markitup.js
b/Allura/allura/lib/widgets/resources/js/sf_markitup.js
index d876ff7a2..79d5d236b 100644
--- a/Allura/allura/lib/widgets/resources/js/sf_markitup.js
+++ b/Allura/allura/lib/widgets/resources/js/sf_markitup.js
@@ -127,13 +127,13 @@ $(window).on('load', function() {
}
function previewRender(text, preview) {
- var cval = $.cookie('_session_id');
+ var cval = $.cookie('_csrf_token');
$.post('/nf/markdown_to_html', {
markdown: text,
project: $('input.markdown_project', $container).val(),
neighborhood: $('input.markdown_neighborhood',
$container).val(),
app: $('input.markdown_app', $container).val(),
- _session_id: cval
+ _csrf_token: cval
},
function(resp) {
preview.innerHTML = resp;
diff --git a/Allura/allura/lib/widgets/resources/js/subscriptions.js
b/Allura/allura/lib/widgets/resources/js/subscriptions.js
index 8b4bfebe0..635968c12 100644
--- a/Allura/allura/lib/widgets/resources/js/subscriptions.js
+++ b/Allura/allura/lib/widgets/resources/js/subscriptions.js
@@ -52,8 +52,8 @@ SubscriptionForm = React.createClass({
handleClick: function(e) {
e.preventDefault();
var url = this.props.url;
- var csrf = $.cookie('_session_id');
- var data = {_session_id: csrf};
+ var csrf = $.cookie('_csrf_token');
+ var data = {_csrf_token: csrf};
if (this.props.subscribed) {
data.unsubscribe = true;
} else {
diff --git a/Allura/allura/lib/widgets/resources/js/vote.js
b/Allura/allura/lib/widgets/resources/js/vote.js
index 282624a1a..5b934a026 100644
--- a/Allura/allura/lib/widgets/resources/js/vote.js
+++ b/Allura/allura/lib/widgets/resources/js/vote.js
@@ -22,13 +22,13 @@ $(document).ready(function() {
var $form = $('#vote form');
var url = $form.attr('action');
var method = $form.attr('method');
- var _session_id = $form.find('input[name="_session_id"]').val();
+ var _csrf_token = $form.find('input[name="_csrf_token"]').val();
$.ajax({
url: url,
type: method,
data: {
vote: vote,
- _session_id: _session_id
+ _csrf_token: _csrf_token
},
success: function(data) {
if (data.status == 'ok') {
diff --git a/Allura/allura/public/nf/js/admin_modal.js
b/Allura/allura/public/nf/js/admin_modal.js
index 36b059f3e..f9f04a742 100644
--- a/Allura/allura/public/nf/js/admin_modal.js
+++ b/Allura/allura/public/nf/js/admin_modal.js
@@ -45,10 +45,10 @@ $(function() {
var $popup_contents = $('#admin_modal_contents');
$popup_title.html($(link).html());
$popup_contents.html(data);
- var csrf_exists = $popup_contents.find('form >
input[name="_session_id"]').length;
+ var csrf_exists = $popup_contents.find('form >
input[name="_csrf_token"]').length;
if (!csrf_exists) {
- var cval = $.cookie('_session_id');
- var csrf_input = $('<input name="_session_id" type="hidden"
value="'+cval+'">');
+ var cval = $.cookie('_csrf_token');
+ var csrf_input = $('<input name="_csrf_token" type="hidden"
value="'+cval+'">');
$popup_contents.find('form').append(csrf_input);
}
});
diff --git a/Allura/allura/public/nf/js/allura-base.js
b/Allura/allura/public/nf/js/allura-base.js
index 839408dee..6837960cc 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -255,7 +255,7 @@ $(function(){
url: uri + 'update_markdown',
data: {
'text' : markdown,
- '_session_id' : $.cookie('_session_id')
+ '_csrf_token' : $.cookie('_csrf_token')
},
success: callback
});
diff --git a/Allura/allura/public/nf/js/navbar.es6.js
b/Allura/allura/public/nf/js/navbar.es6.js
index 5a5f3e15b..55de8cb22 100644
--- a/Allura/allura/public/nf/js/navbar.es6.js
+++ b/Allura/allura/public/nf/js/navbar.es6.js
@@ -495,9 +495,9 @@ var Main = React.createClass({
onUpdateThreshold: function(event) {
var thres = event.target.value;
var url = `${_getProjectUrl()}/admin/configure_tool_grouping`;
- var csrf = $.cookie('_session_id');
+ var csrf = $.cookie('_csrf_token');
var data = {
- _session_id: csrf,
+ _csrf_token: csrf,
grouping_threshold: thres
};
$.post(url, data, () => this.getNavJson());
@@ -510,7 +510,7 @@ var Main = React.createClass({
onToolReorder: function() {
$('.react-drag.dragging').removeClass('dragging');
- let params = {_session_id: $.cookie('_session_id')};
+ let params = {_csrf_token: $.cookie('_csrf_token')};
let toolNodes =
$(ReactDOM.findDOMNode(this)).find('span.ordinal-item').not(".toolbar-grouper");
for (let i = 0; i < toolNodes.length; i++) {
params[i] = toolNodes[i].dataset.mountPoint;
diff --git a/Allura/allura/public/nf/js/phone-verification.js
b/Allura/allura/public/nf/js/phone-verification.js
index e866fcd5b..583df35db 100644
--- a/Allura/allura/public/nf/js/phone-verification.js
+++ b/Allura/allura/public/nf/js/phone-verification.js
@@ -134,8 +134,8 @@ var FormStepMixin = {
callAPI: function() {
var url = this.getAPIUrl();
var data = this.getAPIData();
- var csrf = $.cookie('_session_id');
- data._session_id = csrf;
+ var csrf = $.cookie('_csrf_token');
+ data._csrf_token = csrf;
set_state({in_progress: true});
$.post(url, data, function(resp) {
if (resp.status == 'ok') {
diff --git a/Allura/allura/public/nf/js/project_groups.js
b/Allura/allura/public/nf/js/project_groups.js
index fe16a1e79..925e8c271 100644
--- a/Allura/allura/public/nf/js/project_groups.js
+++ b/Allura/allura/public/nf/js/project_groups.js
@@ -19,13 +19,13 @@
/*global privateProjectsAllowed */
$(function() {
- var cval = $.cookie('_session_id');
+ var cval = $.cookie('_csrf_token');
// delete a group
$('a.delete_group').click(function(evt){
evt.preventDefault();
var link = this;
- var csrf = $.cookie('_session_id');
- var data = {_session_id: csrf};
+ var csrf = $.cookie('_csrf_token');
+ var data = {_csrf_token: csrf};
if(confirm("Are you sure you want to remove the group? All users and
groups in the group will lose their permissions.")){
$.post(link.href, data, function(resp) {
$(link).closest('tr').hide('fast');
@@ -39,7 +39,7 @@ $(function() {
if(confirm("Are you sure you want to remove the user
"+user_holder.data('user')+"?")){
var params = {'role_id': user_holder.closest('tr').data('group'),
'username': user_holder.data('user'),
- '_session_id': cval};
+ '_csrf_token': cval};
var old_html = user_holder.html();
user_holder.html(spinner_img+' Removing...');
$.post('remove_user', params, function(data){
@@ -59,7 +59,7 @@ $(function() {
var item_form = $(this);
var params = {'role_id': item_form.closest('tr').data('group'),
'username': item_form.find('input').val(),
- '_session_id': cval};
+ '_csrf_token': cval};
var holder = item_form.closest('li');
holder.html(spinner_img+' Saving...');
$.post('add_user', params, function(data){
@@ -119,7 +119,7 @@ $(function() {
var params = {'role_id':$(this).closest('tr').data('group'),
'permission':perm_holder.data('permission'),
'allow':true,
- '_session_id':cval};
+ '_csrf_token':cval};
if(perm_holder.hasClass('yes')){
params['allow']=false;
}
diff --git a/Allura/allura/templates/app_admin_webhooks_list.html
b/Allura/allura/templates/app_admin_webhooks_list.html
index 494d72056..088e4a509 100644
--- a/Allura/allura/templates/app_admin_webhooks_list.html
+++ b/Allura/allura/templates/app_admin_webhooks_list.html
@@ -52,8 +52,8 @@ $(function() {
$('.delete-link').click(function(e) {
e.preventDefault();
var id = $(this).attr('data-id');
- var csrf = $.cookie('_session_id');
- var data = {'webhook': id, '_session_id': csrf};
+ var csrf = $.cookie('_csrf_token');
+ var data = {'webhook': id, '_csrf_token': csrf};
var url = $(this).attr('href');
var $tr = $(this).parents('tr');
$.post(url, data, function(data) {
diff --git a/Allura/allura/templates/jinja_master/lib.html
b/Allura/allura/templates/jinja_master/lib.html
index 97a2160f5..fa37c98cb 100644
--- a/Allura/allura/templates/jinja_master/lib.html
+++ b/Allura/allura/templates/jinja_master/lib.html
@@ -18,11 +18,11 @@
-#}
{% macro csrf() -%}
- {{ request.cookies['_session_id'] or request.environ['_session_id'] }}
+ {{ request.cookies['_csrf_token'] or request.environ['_csrf_token'] }}
{%- endmacro %}
{% macro csrf_token() -%}
- <input name="_session_id" type="hidden" value="{{csrf()}}">
+ <input name="_csrf_token" type="hidden" value="{{csrf()}}">
{%- endmacro %}
{% macro related_artifacts(artifact, user) -%}
diff --git a/Allura/allura/templates/site_admin_site_notifications_list.html
b/Allura/allura/templates/site_admin_site_notifications_list.html
index dce9e6504..bc389c9b4 100644
--- a/Allura/allura/templates/site_admin_site_notifications_list.html
+++ b/Allura/allura/templates/site_admin_site_notifications_list.html
@@ -85,7 +85,7 @@
type: 'POST',
url: elem.href,
data: {
- '_session_id': $.cookie('_session_id')
+ '_csrf_token': $.cookie('_csrf_token')
},
success: function(data) {
$(elem).parent().parent().remove();
diff --git a/Allura/allura/templates/widgets/vote.html
b/Allura/allura/templates/widgets/vote.html
index 1a82b8711..fb21e2811 100644
--- a/Allura/allura/templates/widgets/vote.html
+++ b/Allura/allura/templates/widgets/vote.html
@@ -42,7 +42,7 @@
<div style="clear:both;"></div>
{% if can_vote %}
<form action="{{ action }}" method="POST">
- {# csrf protection will be automatically inserted here (_session_id field)
#}
+ {# csrf protection will be automatically inserted here (_csrf_token field)
#}
{{lib.csrf_token()}}
</form>
{% endif %}
diff --git a/Allura/allura/tests/functional/test_auth.py
b/Allura/allura/tests/functional/test_auth.py
index e280fed69..c0d3e7f6d 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -53,10 +53,10 @@ def unentity(s):
class TestAuth(TestController):
def test_login(self):
- self.app.get('/auth/preferences/') # establish session_id cookie
+ self.app.get('/auth/preferences/') # establish _csrf_token cookie
email = M.User.query.get(username='test-admin').email_addresses[0]
r = self.app.post('/auth/send_verification_link', params=dict(a=email,
-
_session_id=self.app.cookies['_session_id']))
+
_csrf_token=self.app.cookies['_csrf_token']))
assert json.loads(self.webflash(r))['status'] == 'ok', self.webflash(r)
ThreadLocalODMSession.flush_all()
@@ -69,13 +69,13 @@ def test_login(self):
with audits('Successful login', user=True):
r = self.app.post('/auth/do_login', params=dict(
username='test-user', password='foo',
- _session_id=self.app.cookies['_session_id']),
+ _csrf_token=self.app.cookies['_csrf_token']),
antispam=True).follow()
assert r.headers['Location'] == 'http://localhost/dashboard'
r = self.app.post('/auth/do_login', antispam=True, params=dict(
username='test-user', password='foo', honey1='robot', # bad
honeypot value
- _session_id=self.app.cookies['_session_id']),
+ _csrf_token=self.app.cookies['_csrf_token']),
extra_environ={'regular_antispam_err_handling_even_when_tests':
'true'},
status=302)
wf = json.loads(self.webflash(r))
@@ -85,12 +85,12 @@ def test_login(self):
with audits('Failed login', user=True):
r = self.app.post('/auth/do_login', antispam=True,
extra_environ=dict(username='*anonymous'), params=dict(
username='test-user', password='food',
- _session_id=self.app.cookies['_session_id']))
+ _csrf_token=self.app.cookies['_csrf_token']))
assert 'Invalid login' in str(r), r.showbrowser()
r = self.app.post('/auth/do_login', antispam=True,
extra_environ=dict(username='*anonymous'), params=dict(
username='test-usera', password='foo',
- _session_id=self.app.cookies['_session_id']))
+ _csrf_token=self.app.cookies['_csrf_token']))
assert 'Invalid login' in str(r), r.showbrowser()
def test_login_invalid_username(self):
@@ -266,7 +266,7 @@ def test_logout(self):
r = self.app.post('/auth/do_login', params=dict(
username='test-user', password='foo',
- _session_id=self.app.cookies['_session_id']),
+ _csrf_token=self.app.cookies['_csrf_token']),
extra_environ={'REMOTE_ADDR': '127.0.0.1'},
antispam=True).follow().follow()
@@ -293,7 +293,7 @@ def test_track_login(self):
params=dict(
username='test-user',
password='foo',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
),
antispam=True,
)
@@ -310,7 +310,7 @@ def test_rememberme(self):
# Login as test-user with remember me checkbox off
r = self.app.post('/auth/do_login', params=dict(
username='test-user', password='foo',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
), antispam=True)
assert r.session['username'] == username
assert r.session['login_expires'] is True
@@ -322,7 +322,7 @@ def test_rememberme(self):
# Login as test-user with remember me checkbox on
r = self.app.post('/auth/do_login', params=dict(
username='test-user', password='foo', rememberme='on',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
), antispam=True)
assert r.session['username'] == username
assert r.session['login_expires'] is not True
@@ -344,7 +344,7 @@ def test_user_can_not_claim_duplicate_emails(self):
'primary_addr': '[email protected]',
'preferences.email_format': 'plain',
'password': 'foo',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
},
extra_environ=dict(username='test-admin'))
@@ -356,7 +356,7 @@ def test_user_can_not_claim_duplicate_emails(self):
'primary_addr': '[email protected]',
'preferences.email_format': 'plain',
'password': 'foo',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
},
extra_environ=dict(username='test-admin'))
@@ -390,7 +390,7 @@ def
test_user_added_claimed_address_by_other_user_confirmed(self, gen_message_id
'primary_addr': '[email protected]',
'preferences.email_format': 'plain',
'password': 'foo',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
},
extra_environ=dict(username='test-admin'))
@@ -433,7 +433,7 @@ def
test_user_added_claimed_address_by_other_user_not_confirmed(self, gen_messag
'primary_addr': '[email protected]',
'preferences.email_format': 'plain',
'password': 'foo',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
},
extra_environ=dict(username='test-user-1'))
@@ -457,7 +457,7 @@ def test_user_cannot_claim_more_than_max_limit(self,
gen_message_id, sendsimplem
'primary_addr':
'[email protected]',
'preferences.email_format': 'plain',
'password': 'foo',
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
},
extra_environ=dict(username='test-user-1'))
assert json.loads(self.webflash(r))['status'] == 'ok'
@@ -469,7 +469,7 @@ def test_user_cannot_claim_more_than_max_limit(self,
gen_message_id, sendsimplem
'primary_addr':
'[email protected]',
'preferences.email_format': 'plain',
'password': 'foo',
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
},
extra_environ=dict(username='test-user-1'))
@@ -496,8 +496,8 @@ def test_verification_link_for_confirmed_email(self,
gen_message_id, sendsimplem
ThreadLocalODMSession.flush_all()
r = self.app.post('/auth/send_verification_link',
- params=dict(a=email_address,
_session_id=self.app.cookies['_session_id']),
- extra_environ=dict(username='test-user-1',
_session_id=self.app.cookies['_session_id']))
+ params=dict(a=email_address,
_csrf_token=self.app.cookies['_csrf_token']),
+ extra_environ=dict(username='test-user-1',
_csrf_token=self.app.cookies['_csrf_token']))
assert json.loads(self.webflash(r))['status'] == 'ok'
assert json.loads(self.webflash(r))['message'] == 'Verification link
sent'
@@ -522,7 +522,7 @@ def
test_invalidate_verification_link_if_email_was_confirmed(self):
self.app.post('/auth/send_verification_link',
params=dict(a=email_address,
- _session_id=self.app.cookies['_session_id']),
+ _csrf_token=self.app.cookies['_csrf_token']),
extra_environ=dict(username='test-user'))
user1 = M.User.query.get(username='test-user-1')
@@ -553,7 +553,7 @@ def test_verify_addr_correct_session(self, gen_message_id,
sendsimplemail):
self.app.post('/auth/send_verification_link',
params=dict(a=email_address,
- _session_id=self.app.cookies['_session_id']),
+ _csrf_token=self.app.cookies['_csrf_token']),
extra_environ=dict(username='test-user'))
# logged out, gets redirected to login page
@@ -634,7 +634,7 @@ def test_email_change_invalidates_token(self,
change_params):
session(user).flush(user)
self.app.get('/').follow() # establish session
- change_params['_session_id'] = self.app.cookies['_session_id']
+ change_params['_csrf_token'] = self.app.cookies['_csrf_token']
self.app.post('/auth/preferences/update_emails',
extra_environ=dict(username='test-admin'),
params=change_params)
@@ -659,7 +659,7 @@ def test_change_password(self):
'oldpw': 'foo',
'pw': 'asdfasdf',
'pw2': 'asdfasdf',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
})
# Confirm password was changed.
@@ -690,7 +690,7 @@ def test_change_password_hibp(self):
'oldpw': 'foo',
'pw': 'password',
'pw2': 'password',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
})
assert 'Unsafe' in str(r.headers)
@@ -701,7 +701,7 @@ def test_change_password_hibp(self):
'oldpw': 'foo',
'pw': '3j84rhoirwnoiwrnoiw',
'pw2': '3j84rhoirwnoiwrnoiw',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
})
assert 'Unsafe' not in str(r.headers)
@@ -731,7 +731,7 @@ def test_prefs(self, gen_message_id, sendsimplemail):
'primary_addr': '[email protected]',
'password': 'foo',
'preferences.email_format': 'plain',
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
r = self.app.get('/auth/preferences/')
assert '[email protected]' in r
@@ -750,7 +750,7 @@ def test_prefs(self, gen_message_id, sendsimplemail):
'primary_addr': '[email protected]',
'password': 'foo',
'preferences.email_format': 'plain',
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
# assert 'email_removed' notification email sent
@@ -767,7 +767,7 @@ def test_prefs(self, gen_message_id, sendsimplemail):
with td.audits('Display Name changed Test Admin => Admin', user=True):
r = self.app.post('/auth/preferences/update',
params={'preferences.display_name': 'Admin',
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
},
extra_environ=dict(username='test-admin'))
@@ -781,7 +781,7 @@ def test_email_prefs_change_requires_password(self,
gen_message_id, sendsimplema
'new_addr.addr': '[email protected]',
'new_addr.claim': 'Claim Address',
'primary_addr': '[email protected]',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
}
r = self.app.post('/auth/preferences/update_emails',
params=new_email_params,
@@ -807,7 +807,7 @@ def test_email_prefs_change_requires_password(self,
gen_message_id, sendsimplema
change_primary_params = {
'new_addr.addr': '',
'primary_addr': '[email protected]',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
}
r = self.app.post('/auth/preferences/update_emails',
params=change_primary_params,
@@ -842,7 +842,7 @@ def test_email_prefs_change_requires_password(self,
gen_message_id, sendsimplema
'addr-2.delete': 'on',
'new_addr.addr': '',
'primary_addr': '[email protected]',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
}
r = self.app.post('/auth/preferences/update_emails',
params=remove_email_params,
@@ -889,12 +889,12 @@ def test_update_user_notifications(self):
self.app.get('/').follow() # establish session
assert not
M.User.query.get(username='test-admin').get_pref('mention_notifications')
self.app.post('/auth/subscriptions/update_user_notifications',
- params={'_session_id': self.app.cookies['_session_id'],
+ params={'_csrf_token': self.app.cookies['_csrf_token'],
})
assert not
M.User.query.get(username='test-admin').get_pref('mention_notifications')
self.app.post('/auth/subscriptions/update_user_notifications',
params={'allow_umnotif': 'on',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
})
assert
M.User.query.get(username='test-admin').get_pref('mention_notifications')
@@ -953,12 +953,12 @@ def test_format_email(self):
self.app.get('/').follow() # establish session
self.app.post('/auth/subscriptions/update_subscriptions',
params={'email_format': 'plain', 'subscriptions': '',
- '_session_id': self.app.cookies['_session_id']})
+ '_csrf_token': self.app.cookies['_csrf_token']})
r = self.app.get('/auth/subscriptions/')
assert '<option selected value="plain">Plain Text</option>' in r
self.app.post('/auth/subscriptions/update_subscriptions',
params={'email_format': 'both', 'subscriptions': '',
- '_session_id': self.app.cookies['_session_id']})
+ '_csrf_token': self.app.cookies['_csrf_token']})
r = self.app.get('/auth/subscriptions/')
assert '<option selected value="both">HTML</option>' in r
@@ -967,7 +967,7 @@ def test_create_account(self):
assert 'Create an Account' in r
r = self.app.post('/auth/save_new',
params=dict(username='AAA', pw='123',
-
_session_id=self.app.cookies['_session_id']))
+
_csrf_token=self.app.cookies['_csrf_token']))
assert 'Enter a value 6 characters long or more' in r
assert ('Usernames must include only small letters, numbers, '
'and dashes. They must also start with a letter and be '
@@ -979,7 +979,7 @@ def test_create_account(self):
pw='12345678',
pw2='12345678',
display_name='Test Me',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
r = r.follow().follow()
assert 'User "aaa" registered' in unentity(r.text)
@@ -990,14 +990,14 @@ def test_create_account(self):
pw='12345678',
pw2='12345678',
display_name='Test Me',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
assert 'That username is already taken. Please choose another.' in r
r = self.app.get('/auth/logout')
r = self.app.post(
'/auth/do_login',
params=dict(username='aaa', password='12345678',
- _session_id=self.app.cookies['_session_id']),
antispam=True,
+ _csrf_token=self.app.cookies['_csrf_token']),
antispam=True,
status=302)
def test_create_account_require_email(self):
@@ -1011,7 +1011,7 @@ def test_create_account_require_email(self):
pw2='12345678',
display_name='Test Me',
email='[email protected]',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='aaa')
assert not user.pending
@@ -1025,7 +1025,7 @@ def test_create_account_require_email(self):
pw2='12345678',
display_name='Test Me',
email='[email protected]',
- _session_id=self.app.cookies['_session_id']
+ _csrf_token=self.app.cookies['_csrf_token']
))
user = M.User.query.get(username='bbb')
assert user.pending
@@ -1042,7 +1042,7 @@ def test_verify_email(self):
pw2='12345678',
display_name='Test Me',
email='[email protected]',
- _session_id=self.app.cookies['_session_id']
+ _csrf_token=self.app.cookies['_csrf_token']
))
r = r.follow()
user = M.User.query.get(username='aaa')
@@ -1075,7 +1075,7 @@ def test_create_account_disabled_submit_fails(self):
pw='12345678',
pw2='12345678',
display_name='Test Me',
- _session_id=self.app.cookies['_session_id']
+ _csrf_token=self.app.cookies['_csrf_token']
),
status=404)
@@ -1092,7 +1092,7 @@ def test_one_project_role(self):
pw2='12345678',
display_name='Test Me',
email='[email protected]',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
)).follow()
user = M.User.query.get(username='aaa')
user.pending = False
@@ -1131,7 +1131,7 @@ def test_no_open_return_to(self):
r = self.app.post('/auth/do_login', params=dict(
username='test-user', password='foo',
return_to='/foo',
- _session_id=self.app.cookies['_session_id']),
+ _csrf_token=self.app.cookies['_csrf_token']),
antispam=True
)
assert r.location == 'http://localhost/foo'
@@ -1140,21 +1140,21 @@ def test_no_open_return_to(self):
r = self.app.post('/auth/do_login', antispam=True, params=dict(
username='test-user', password='foo',
return_to='http://localhost/foo',
- _session_id=self.app.cookies['_session_id']))
+ _csrf_token=self.app.cookies['_csrf_token']))
assert r.location == 'http://localhost/foo'
r = self.app.get('/auth/logout')
r = self.app.post('/auth/do_login', antispam=True, params=dict(
username='test-user', password='foo',
return_to='http://example.com/foo',
- _session_id=self.app.cookies['_session_id'])).follow()
+ _csrf_token=self.app.cookies['_csrf_token'])).follow()
assert r.location == 'http://localhost/dashboard'
r = self.app.get('/auth/logout')
r = self.app.post('/auth/do_login', antispam=True, params=dict(
username='test-user', password='foo',
return_to='//example.com/foo',
- _session_id=self.app.cookies['_session_id'])).follow()
+ _csrf_token=self.app.cookies['_csrf_token'])).follow()
assert r.location == 'http://localhost/dashboard'
def test_no_injected_headers_in_return_to(self):
@@ -1163,7 +1163,7 @@ def test_no_injected_headers_in_return_to(self):
username='test-user', password='foo',
return_to='/foo\nContent-Length: 777',
# WebTest actually will raise an error if there's an invalid
header (webob itself does not)
- _session_id=self.app.cookies['_session_id']),
+ _csrf_token=self.app.cookies['_csrf_token']),
antispam=True
)
assert r.location == 'http://localhost/'
@@ -1226,7 +1226,7 @@ def test_personal_data(self):
country=setcountry,
city=setcity,
timezone=settimezone,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
sex = user.sex
@@ -1242,7 +1242,7 @@ def test_personal_data(self):
# Check if setting a wrong date everything works correctly
r = self.app.post('/auth/user_info/change_personal_data',
- params=dict(birthdate='30/02/1998',
_session_id=self.app.cookies['_session_id']))
+ params=dict(birthdate='30/02/1998',
_csrf_token=self.app.cookies['_csrf_token']))
assert 'Please enter a valid date' in r.text
user = M.User.query.get(username='test-admin')
sex = user.sex
@@ -1264,7 +1264,7 @@ def test_personal_data(self):
country=setcountry,
city=setcity,
timezone=settimezone,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert user.birthdate is None
@@ -1277,7 +1277,7 @@ def test_contacts_not_allowed(self):
self.app.post('/auth/user_info/contacts/add_social_network',
params=dict(socialnetwork=socialnetwork,
accounturl=accounturl,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 0
@@ -1287,7 +1287,7 @@ def test_contacts_not_allowed(self):
self.app.post('/auth/user_info/contacts/add_social_network',
params=dict(socialnetwork=socialnetwork,
accounturl=accounturl,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 0
@@ -1297,7 +1297,7 @@ def test_contacts_not_allowed(self):
self.app.post('/auth/user_info/contacts/add_social_network',
params=dict(socialnetwork=socialnetwork,
accounturl=accounturl,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 0
@@ -1308,7 +1308,7 @@ def test_contacts(self):
testvalue = 'testaccount'
self.app.get('/auth/user_info/contacts/')
self.app.post('/auth/user_info/contacts/skype_account',
- params=dict(skypeaccount=testvalue,
_session_id=self.app.cookies['_session_id']))
+ params=dict(skypeaccount=testvalue,
_csrf_token=self.app.cookies['_csrf_token']))
user = M.User.query.get(username='test-admin')
assert user.skypeaccount == testvalue
@@ -1318,7 +1318,7 @@ def test_contacts(self):
self.app.post('/auth/user_info/contacts/add_social_network',
params=dict(socialnetwork=socialnetwork,
accounturl=accounturl,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 1
@@ -1331,7 +1331,7 @@ def test_contacts(self):
self.app.post('/auth/user_info/contacts/add_social_network',
params=dict(socialnetwork=socialnetwork2,
accounturl='@test',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 2
@@ -1344,7 +1344,7 @@ def test_contacts(self):
self.app.post('/auth/user_info/contacts/add_social_network',
params=dict(socialnetwork=socialnetwork3,
accounturl=accounturl3,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 3
@@ -1353,7 +1353,7 @@ def test_contacts(self):
self.app.post('/auth/user_info/contacts/remove_social_network',
params=dict(socialnetwork=socialnetwork,
account=accounturl,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 2
@@ -1364,7 +1364,7 @@ def test_contacts(self):
# Add empty social network account
self.app.post('/auth/user_info/contacts/add_social_network',
params=dict(accounturl=accounturl, socialnetwork='',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 2
@@ -1375,7 +1375,7 @@ def test_contacts(self):
# Add invalid social network account
self.app.post('/auth/user_info/contacts/add_social_network',
params=dict(accounturl=accounturl,
socialnetwork='invalid',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.socialnetworks) == 2
@@ -1387,7 +1387,7 @@ def test_contacts(self):
telnumber = '+3902123456'
self.app.post('/auth/user_info/contacts/add_telnumber',
params=dict(newnumber=telnumber,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert (len(user.telnumbers) == 1 and (user.telnumbers[0] ==
telnumber))
@@ -1396,7 +1396,7 @@ def test_contacts(self):
telnumber2 = '+3902654321'
self.app.post('/auth/user_info/contacts/add_telnumber',
params=dict(newnumber=telnumber2,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert (len(user.telnumbers) == 2 and telnumber in user.telnumbers and
telnumber2 in user.telnumbers)
@@ -1404,7 +1404,7 @@ def test_contacts(self):
# Remove first telephone number
self.app.post('/auth/user_info/contacts/remove_telnumber',
params=dict(oldvalue=telnumber,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert (len(user.telnumbers) == 1 and telnumber2 in user.telnumbers)
@@ -1413,7 +1413,7 @@ def test_contacts(self):
website = 'http://www.testurl.com'
self.app.post('/auth/user_info/contacts/add_webpage',
params=dict(newwebsite=website,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert (len(user.webpages) == 1 and (website in user.webpages))
@@ -1422,7 +1422,7 @@ def test_contacts(self):
website2 = 'http://www.testurl2.com'
self.app.post('/auth/user_info/contacts/add_webpage',
params=dict(newwebsite=website2,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert (len(user.webpages) == 2 and website in user.webpages and
website2 in user.webpages)
@@ -1430,7 +1430,7 @@ def test_contacts(self):
# Remove first website
self.app.post('/auth/user_info/contacts/remove_webpage',
params=dict(oldvalue=website,
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert (len(user.webpages) == 1 and website2 in user.webpages)
@@ -1448,7 +1448,7 @@ def test_availability(self):
weekday=weekday,
starttime=starttime.strftime('%H:%M'),
endtime=endtime.strftime('%H:%M'),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
timeslot1dict = dict(week_day=weekday, start_time=starttime,
end_time=endtime)
@@ -1464,7 +1464,7 @@ def test_availability(self):
weekday=weekday2,
starttime=starttime2.strftime('%H:%M'),
endtime=endtime2.strftime('%H:%M'),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
timeslot2dict = dict(week_day=weekday2, start_time=starttime2,
end_time=endtime2)
@@ -1478,7 +1478,7 @@ def test_availability(self):
weekday=weekday,
starttime=starttime.strftime('%H:%M'),
endtime=endtime.strftime('%H:%M'),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.availability) == 1 and timeslot2dict in
user.get_availability_timeslots()
@@ -1489,7 +1489,7 @@ def test_availability(self):
weekday=weekday2,
starttime=endtime2.strftime('%H:%M'),
endtime=starttime2.strftime('%H:%M'),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
assert 'Invalid period:' in str(r)
user = M.User.query.get(username='test-admin')
@@ -1508,7 +1508,7 @@ def test_inactivity(self):
params=dict(
startdate=startdate.strftime('%d/%m/%Y'),
enddate=enddate.strftime('%d/%m/%Y'),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
period1dict = dict(start_date=startdate, end_date=enddate)
@@ -1521,7 +1521,7 @@ def test_inactivity(self):
params=dict(
startdate=startdate2.strftime('%d/%m/%Y'),
enddate=enddate2.strftime('%d/%m/%Y'),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
period2dict = dict(start_date=startdate2, end_date=enddate2)
@@ -1535,7 +1535,7 @@ def test_inactivity(self):
params=dict(
startdate=startdate.strftime('%d/%m/%Y'),
enddate=enddate.strftime('%d/%m/%Y'),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.inactiveperiod) == 1 and period2dict in
user.get_inactive_periods()
@@ -1545,7 +1545,7 @@ def test_inactivity(self):
params=dict(
startdate='NOT/A/DATE',
enddate=enddate2.strftime('%d/%m/%Y'),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert 'Please enter a valid date' in str(r)
@@ -1564,7 +1564,7 @@ def test_skills(self):
level=level,
comment=comment,
selected_skill=str(skill_cat.trove_cat_id),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
skilldict = dict(category_id=skill_cat._id,
@@ -1580,7 +1580,7 @@ def test_skills(self):
level=level,
comment=comment,
selected_skill=str(skill_cat.trove_cat_id),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
skilldict = dict(category_id=skill_cat._id,
@@ -1595,7 +1595,7 @@ def test_skills(self):
level=level2,
comment=comment2,
selected_skill=str(skill_cat.trove_cat_id),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
# Check that everything is as it was before
@@ -1606,7 +1606,7 @@ def test_skills(self):
self.app.post('/auth/user_info/skills/remove_skill',
params=dict(
categoryid=str(skill_cat.trove_cat_id),
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
user = M.User.query.get(username='test-admin')
assert len(user.skills) == 0
@@ -1616,12 +1616,12 @@ def test_user_message(self):
self.app.get('/').follow() # establish session
assert not
M.User.query.get(username='test-admin').get_pref('disable_user_messages')
self.app.post('/auth/preferences/user_message',
- params={'_session_id': self.app.cookies['_session_id'],
+ params={'_csrf_token': self.app.cookies['_csrf_token'],
})
assert
M.User.query.get(username='test-admin').get_pref('disable_user_messages')
self.app.post('/auth/preferences/user_message',
params={'allow_user_messages': 'on',
- '_session_id': self.app.cookies['_session_id'],
+ '_csrf_token': self.app.cookies['_csrf_token'],
})
assert not
M.User.query.get(username='test-admin').get_pref('disable_user_messages')
@@ -1663,7 +1663,7 @@ def test_email_unconfirmed(self, gen_message_id,
sendmail, p_sendlink, p_sendpwd
ThreadLocalODMSession.flush_all()
self.app.get('/').follow() # establish session
self.app.post('/auth/password_recovery_hash', {'email': email.email,
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
hash = user.get_tool_data('AuthPasswordReset', 'hash')
assert hash is None
@@ -1680,7 +1680,7 @@ def test_user_disabled(self, gen_message_id, sendmail):
ThreadLocalODMSession.flush_all()
self.app.get('/').follow() # establish session
self.app.post('/auth/password_recovery_hash', {'email': email.email,
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
hash = user.get_tool_data('AuthPasswordReset', 'hash')
assert hash is None
@@ -1699,7 +1699,7 @@ def test_only_primary_email_reset_allowed(self,
gen_message_id, sendmail):
with h.push_config(config,
**{'auth.allow_non_primary_email_password_reset': 'false'}):
self.app.post('/auth/password_recovery_hash', {'email':
self.test_primary_email,
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
hash = user.get_tool_data('AuthPasswordReset', 'hash')
assert hash is not None
@@ -1719,7 +1719,7 @@ def test_non_primary_email_reset_allowed(self,
gen_message_id, sendmail):
ThreadLocalODMSession.flush_all()
with h.push_config(config,
**{'auth.allow_non_primary_email_password_reset': 'true'}):
self.app.post('/auth/password_recovery_hash', {'email':
email1.email,
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
hash = user.get_tool_data('AuthPasswordReset', 'hash')
assert hash is not None
@@ -1739,7 +1739,7 @@ def test_password_reset(self, gen_message_id,
sendsimplemail):
# request a reset
with td.audits('Password recovery link sent to: ' + email.email,
user=True):
r = self.app.post('/auth/password_recovery_hash', {'email':
email.email,
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
# confirm some fields
hash = user.get_tool_data('AuthPasswordReset', 'hash')
@@ -1825,7 +1825,7 @@ def test_capitalized_email_entered(self, gen_message_id,
sendmail):
# request a reset
with td.audits('Password recovery link sent to: ' + email.email,
user=True):
r = self.app.post('/auth/password_recovery_hash', {'email':
email.email.capitalize(), # NOTE THIS
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
# confirm it worked
hash = user.get_tool_data('AuthPasswordReset', 'hash')
@@ -1841,7 +1841,7 @@ def test_hash_expired(self, gen_message_id, sendmail):
ThreadLocalODMSession.flush_all()
self.app.get('/').follow() # establish session
r = self.app.post('/auth/password_recovery_hash', {'email':
email.email,
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
user = M.User.by_username('test-admin')
hash = user.get_tool_data('AuthPasswordReset', 'hash')
@@ -1851,7 +1851,7 @@ def test_hash_expired(self, gen_message_id, sendmail):
assert 'Password reset link is invalid or expired' in
r.follow().follow().text
r = self.app.post('/auth/set_new_password/%s' %
hash.encode('utf-8'), {'pw': '154321', 'pw2':
'154321',
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
assert 'Unable to process password reset' in r.follow().follow().text
@@ -1869,10 +1869,10 @@ def test_provider_disabled(self, AP):
self.app.get('/auth/forgotten_password', status=404)
self.app.get('/').follow() # establish session
self.app.post('/auth/set_new_password',
- {'pw': 'foo', 'pw2': 'foo', '_session_id':
self.app.cookies['_session_id']},
+ {'pw': 'foo', 'pw2': 'foo', '_csrf_token':
self.app.cookies['_csrf_token']},
status=404)
self.app.post('/auth/password_recovery_hash',
- {'email': 'foo', '_session_id':
self.app.cookies['_session_id']},
+ {'email': 'foo', '_csrf_token':
self.app.cookies['_csrf_token']},
status=404)
@patch('allura.lib.plugin.AuthenticationProvider.hibp_password_check_enabled',
Mock(return_value=True))
@@ -1887,7 +1887,7 @@ def test_pwd_reset_hibp_check(self, gen_message_id,
sendmail):
# request a reset
r = self.app.post('/auth/password_recovery_hash', {'email':
email.email,
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
})
hash = user.get_tool_data('AuthPasswordReset', 'hash')
@@ -1928,7 +1928,7 @@ def test_register_deregister_app(self):
r = self.app.get('/auth/oauth/')
r = self.app.post('/auth/oauth/register',
params={'application_name': 'oautstapp',
'application_description': 'Oauth rulez',
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
}).follow()
assert 'oautstapp' in r
# deregister
@@ -1942,7 +1942,7 @@ def test_generate_revoke_access_token(self):
self.app.get('/').follow() # establish session
r = self.app.post('/auth/oauth/register',
params={'application_name': 'oautstapp',
'application_description': 'Oauth rulez',
- '_session_id':
self.app.cookies['_session_id'],
+ '_csrf_token':
self.app.cookies['_csrf_token'],
}, status=302)
r = self.app.get('/auth/oauth/')
assert r.forms[1].action == 'generate_access_token'
@@ -2665,7 +2665,7 @@ def test_has_asks_password(self):
def test_bad_password(self):
self.app.get('/').follow() # establish session
r = self.app.post('/auth/disable/do_disable', {'password': 'bad',
- '_session_id':
self.app.cookies['_session_id'], })
+ '_csrf_token':
self.app.cookies['_csrf_token'], })
assert 'Invalid password' in r
user = M.User.by_username('test-admin')
assert user.disabled is False
@@ -2673,7 +2673,7 @@ def test_bad_password(self):
def test_disable(self):
self.app.get('/').follow() # establish session
r = self.app.post('/auth/disable/do_disable', {'password': 'foo',
- '_session_id':
self.app.cookies['_session_id'], })
+ '_csrf_token':
self.app.cookies['_csrf_token'], })
assert r.status_int == 302
assert r.location == 'http://localhost/'
flash = json.loads(self.webflash(r))
@@ -2888,7 +2888,7 @@ def test_blocks_invalid(self):
r = self.app.post('/auth/do_login', params=dict(
username='test-admin', password='foo',
- _session_id=self.app.cookies['_session_id']),
+ _csrf_token=self.app.cookies['_csrf_token']),
antispam=True)
# regular form submit
@@ -2898,18 +2898,18 @@ def test_blocks_invalid(self):
# invalid form submit
r = self.app.get('/admin/overview')
- r.form['_session_id'] = 'bogus'
+ r.form['_csrf_token'] = 'bogus'
r = r.form.submit()
assert r.location == 'http://localhost/auth/'
def test_blocks_invalid_on_login(self):
r = self.app.get('/auth/', extra_environ=dict(username='*anonymous'))
- r.form['_session_id'] = 'bogus'
+ r.form['_csrf_token'] = 'bogus'
r.form.submit(status=403)
def test_token_present_on_first_request(self):
r = self.app.get('/auth/', extra_environ=dict(username='*anonymous'))
- assert r.form['_session_id'].value
+ assert r.form['_csrf_token'].value
class TestTwoFactor(TestController):
@@ -2943,7 +2943,7 @@ def test_settings_off(self):
'/auth/do_multifactor',
]:
self.app.post(url,
- {'password': 'foo', '_session_id':
self.app.cookies['_session_id']},
+ {'password': 'foo', '_csrf_token':
self.app.cookies['_csrf_token']},
status=404)
def test_user_disabled(self):
diff --git a/AlluraTest/alluratest/validation.py
b/AlluraTest/alluratest/validation.py
index ee3c7ce48..5ed55ca31 100644
--- a/AlluraTest/alluratest/validation.py
+++ b/AlluraTest/alluratest/validation.py
@@ -220,7 +220,7 @@ def post(self, *args, **kwargs) -> TestResponse:
}
for k, v in kwargs['params'].items():
params[antispam.enc(k)] = v
- params['_session_id'] = kwargs['params'].get('_session_id') #
exclude csrf token from encryption
+ params['_csrf_token'] = kwargs['params'].get('_csrf_token') #
exclude csrf token from encryption
kwargs['params'] = params
return super().post(*args, **kwargs)
diff --git a/ForgeActivity/forgeactivity/nf/activity/js/activity.js
b/ForgeActivity/forgeactivity/nf/activity/js/activity.js
index b0c83e719..2d25d8bb8 100644
--- a/ForgeActivity/forgeactivity/nf/activity/js/activity.js
+++ b/ForgeActivity/forgeactivity/nf/activity/js/activity.js
@@ -304,7 +304,7 @@ $(function() {
$row.css('background', 'lightgray');
$.post('delete_item', {
activity_id: $row.attr('id'),
- _session_id: $.cookie('_session_id')
+ _csrf_token: $.cookie('_csrf_token')
}).done(function() {
$('input[name=delete]', $row).remove();
$row.css('text-decoration',
'line-through').removeAttr('data-can-delete');
diff --git a/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
b/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
index b7d267998..cbb18eaa4 100644
--- a/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
+++ b/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
@@ -34,7 +34,7 @@ $(document).ready(function() {
e.preventDefault();
var $link = $(this);
var data = {
- '_session_id': $link.data('csrf'),
+ '_csrf_token': $link.data('csrf'),
'follow': ! $link.data('following')
};
$.post(this.href, data, function(result) {
diff --git a/ForgeBlog/forgeblog/templates/blog/post_history.html
b/ForgeBlog/forgeblog/templates/blog/post_history.html
index ea7cd8723..77e891a5a 100644
--- a/ForgeBlog/forgeblog/templates/blog/post_history.html
+++ b/ForgeBlog/forgeblog/templates/blog/post_history.html
@@ -69,11 +69,11 @@
modal.html(dialog_text.html());
modal.find('.continue_confirm').click(function (evt) {
- var cval = $.cookie('_session_id');
+ var cval = $.cookie('_csrf_token');
evt.preventDefault();
var _t = $(this);
var url = _t.data('href') || _t.attr('href');
- $.post(url, {_session_id: cval}, function (val) {
+ $.post(url, {_csrf_token: cval}, function (val) {
window.location = val.location;
}, 'json');
});
diff --git a/ForgeChat/forgechat/tests/functional/test_root.py
b/ForgeChat/forgechat/tests/functional/test_root.py
index 5e7e73975..a11cd761d 100644
--- a/ForgeChat/forgechat/tests/functional/test_root.py
+++ b/ForgeChat/forgechat/tests/functional/test_root.py
@@ -36,7 +36,7 @@ def test_root_index(self):
def test_admin_configure(self):
self.app.get('/').follow() # establish session
data = {'channel': 'test channel',
- '_session_id': self.app.cookies['_session_id']}
+ '_csrf_token': self.app.cookies['_csrf_token']}
ch = CM.ChatChannel.query.get()
assert ch.channel == ''
resp = self.app.post('/p/test/admin/chat/configure', data)
diff --git a/ForgeFeedback/forgefeedback/templates/feedback/index.html
b/ForgeFeedback/forgefeedback/templates/feedback/index.html
index 1caacc33c..394561a64 100755
--- a/ForgeFeedback/forgefeedback/templates/feedback/index.html
+++ b/ForgeFeedback/forgefeedback/templates/feedback/index.html
@@ -56,8 +56,8 @@
{% block extra_js %}
<script>
$('.post-link').click(function() {
- var cval = $.cookie('_session_id');
- $.post( '{{c.app.url}}delete_feedback', {'_session_id':cval},
+ var cval = $.cookie('_csrf_token');
+ $.post( '{{c.app.url}}delete_feedback', {'_csrf_token':cval},
function(){
window.location.href = '{{c.app.url}}';
}
diff --git a/ForgeFiles/forgefiles/nf/files/js/files.js
b/ForgeFiles/forgefiles/nf/files/js/files.js
index afa8ae081..bc76da6e0 100644
--- a/ForgeFiles/forgefiles/nf/files/js/files.js
+++ b/ForgeFiles/forgefiles/nf/files/js/files.js
@@ -24,7 +24,7 @@ function removeModalContent(){
$('#error_message_delete_folder').remove();
}
-var cval = $.cookie('_session_id');
+var cval = $.cookie('_csrf_token');
function ConfirmDisableFolder(folderID,status,parent_status,url)
{
@@ -42,7 +42,7 @@ var cval = $.cookie('_session_id');
var disable_status = 'False';
}
if (confirm_resp){
- $.post(url, {'folder_id':folderID, 'status':disable_status,
_session_id:cval}, function() {
+ $.post(url, {'folder_id':folderID, 'status':disable_status,
_csrf_token:cval}, function() {
location.reload();
});
}
@@ -67,7 +67,7 @@ var cval = $.cookie('_session_id');
var disable_status = 'False';
}
if (confirm_resp){
- $.post(url, {'file_id':fileID, 'status':disable_status,
_session_id:cval}, function() {
+ $.post(url, {'file_id':fileID, 'status':disable_status,
_csrf_token:cval}, function() {
location.reload();
});
}
@@ -87,7 +87,7 @@ var cval = $.cookie('_session_id');
var confirm_resp = confirm("Are you sure you want to link to the
Downloads?");
var link_status = 'True';
}
- $.post(url, {'file_id':fileID, 'status':link_status, _session_id:cval},
function() {
+ $.post(url, {'file_id':fileID, 'status':link_status, _csrf_token:cval},
function() {
location.reload();
})
}
diff --git a/ForgeSVN/forgesvn/templates/svn/checkout_url.html
b/ForgeSVN/forgesvn/templates/svn/checkout_url.html
index 63a79a8d7..5a1935c04 100644
--- a/ForgeSVN/forgesvn/templates/svn/checkout_url.html
+++ b/ForgeSVN/forgesvn/templates/svn/checkout_url.html
@@ -55,11 +55,11 @@
{% if allow_config %}
<script type="text/javascript">
function save_checkout_url() {
- var cval = $.cookie('_session_id');
+ var cval = $.cookie('_csrf_token');
$.post('{{c.project.url()}}admin/{{app.config.options.mount_point}}/set_checkout_url',
{
checkout_url: $('#checkout_url').val(),
external_checkout_url: $('#external_checkout_url').val(),
- _session_id:cval
+ _csrf_token:cval
},
function () {
location.reload();
diff --git a/ForgeShortUrl/forgeshorturl/templates/index.html
b/ForgeShortUrl/forgeshorturl/templates/index.html
index b91f2982b..4b1cbe827 100644
--- a/ForgeShortUrl/forgeshorturl/templates/index.html
+++ b/ForgeShortUrl/forgeshorturl/templates/index.html
@@ -91,11 +91,11 @@
</a>
<script>
$(function() {
- var cval = $.cookie('_session_id');
+ var cval = $.cookie('_csrf_token');
$('#remove-url-{{su.short_name}}').click(function() {
if (confirm('Remove URL {{su.short_name}}?')) {
var row = $(this).parents('tr');
- var data = {_session_id: cval, shorturl: '{{
su.short_name }}'};
+ var data = {_csrf_token: cval, shorturl: '{{
su.short_name }}'};
$.post(this.href, data, function(data, status, xhr) {
if (data.status == 'ok') row.remove();
});
diff --git a/ForgeTracker/forgetracker/templates/tracker/ticket.html
b/ForgeTracker/forgetracker/templates/tracker/ticket.html
index f776e70f1..72e44b050 100644
--- a/ForgeTracker/forgetracker/templates/tracker/ticket.html
+++ b/ForgeTracker/forgetracker/templates/tracker/ticket.html
@@ -236,16 +236,16 @@
return false;
});
$('.post-link').click(function(evt) {
- var cval = $.cookie('_session_id');
+ var cval = $.cookie('_csrf_token');
evt.preventDefault();
- $.post(this.href, {_session_id:cval}, function(val)
+ $.post(this.href, {_csrf_token:cval}, function(val)
{ window.location = val.location; },
'json');
});
// delete attachments
$('div.attachment_thumb a.delete_attachment').click(function () {
- var cval = $.cookie('_session_id');
- $.post(this.href, {'delete': 'True','_session_id':cval}, function
() {
+ var cval = $.cookie('_csrf_token');
+ $.post(this.href, {'delete': 'True','_csrf_token':cval}, function
() {
location.reload();
});
return false;
diff --git a/ForgeUserStats/forgeuserstats/tests/test_stats.py
b/ForgeUserStats/forgeuserstats/tests/test_stats.py
index b44e900d7..30bb0dde7 100644
--- a/ForgeUserStats/forgeuserstats/tests/test_stats.py
+++ b/ForgeUserStats/forgeuserstats/tests/test_stats.py
@@ -41,7 +41,7 @@ def test_login(self):
self.app.get('/').follow() # establish session
self.app.post('/auth/do_login', antispam=True, params=dict(
username=user.username, password='foo',
- _session_id=self.app.cookies['_session_id'],
+ _csrf_token=self.app.cookies['_csrf_token'],
))
assert user.stats.tot_logins_count == 1 + init_logins
diff --git a/ForgeWiki/forgewiki/templates/wiki/master.html
b/ForgeWiki/forgewiki/templates/wiki/master.html
index 37d237a59..e2884ef60 100644
--- a/ForgeWiki/forgewiki/templates/wiki/master.html
+++ b/ForgeWiki/forgewiki/templates/wiki/master.html
@@ -55,11 +55,11 @@
modal.html(dialog_text.html());
modal.find('.continue_confirm').click(function (evt) {
- var cval = $.cookie('_session_id');
+ var cval = $.cookie('_csrf_token');
evt.preventDefault();
var _t = $(this);
var url = _t.data('href') || _t.attr('href');
- $.post(url, {_session_id: cval}, function (val) {
+ $.post(url, {_csrf_token: cval}, function (val) {
window.location = val.location;
}, 'json');
});
diff --git a/ForgeWiki/forgewiki/templates/wiki/page_edit.html
b/ForgeWiki/forgewiki/templates/wiki/page_edit.html
index e75672268..a5a441d91 100644
--- a/ForgeWiki/forgewiki/templates/wiki/page_edit.html
+++ b/ForgeWiki/forgewiki/templates/wiki/page_edit.html
@@ -165,7 +165,7 @@
$.ajax({
type: "POST",
url: attr_url,
- data: elem.serialize() +"&_session_id=" + $.cookie('_session_id'),
+ data: elem.serialize() +"&_csrf_token=" + $.cookie('_csrf_token'),
success: function() {
elem.parent().remove();
}
diff --git a/ForgeWiki/forgewiki/wiki_main.py b/ForgeWiki/forgewiki/wiki_main.py
index a24a1df4c..01f639e14 100644
--- a/ForgeWiki/forgewiki/wiki_main.py
+++ b/ForgeWiki/forgewiki/wiki_main.py
@@ -311,7 +311,7 @@ def sidebar_menu_js(self):
e.preventDefault();
var link = this;
var data = {
- _session_id: $.cookie('_session_id'),
+ _csrf_token: $.cookie('_csrf_token'),
subscribe: '1'
};
$.post(this.href, data, function(){
@@ -324,7 +324,7 @@ def sidebar_menu_js(self):
e.preventDefault();
var link = this;
var data = {
- _session_id: $.cookie('_session_id'),
+ _csrf_token: $.cookie('_csrf_token'),
unsubscribe: '1'
};
$.post(this.href, data, function(){
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index fc10499a1..728f89b09 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -134,9 +134,9 @@ def check_authentication(req):
honey1_field: '',
honey2_field: '',
'return_to': '/login_successful',
- '_session_id': 'this-is-our-session',
+ '_csrf_token': 'this-is-our-session',
}, cookies={
- '_session_id': 'this-is-our-session',
+ '_csrf_token': 'this-is-our-session',
})
if r.status_code == 302 and
r.headers['location'].endswith('/login_successful'):
return True
@@ -153,9 +153,9 @@ def check_authentication(req):
honey1_field: '',
honey2_field: '',
'return_to': '/login_successful',
- '_session_id': 'this-is-our-session',
+ '_csrf_token': 'this-is-our-session',
}, cookies={
- '_session_id': 'this-is-our-session',
+ '_csrf_token': 'this-is-our-session',
})
if r.status_code == 302 and '/auth/multifactor' in
r.headers['location']:
multifactor_url = auth_url.replace('do_login', 'do_multifactor')
@@ -163,9 +163,9 @@ def check_authentication(req):
'mode': 'totp',
'code': code,
'return_to': '/login_successful',
- '_session_id': 'this-is-our-session',
+ '_csrf_token': 'this-is-our-session',
}, cookies={
- '_session_id': 'this-is-our-session',
+ '_csrf_token': 'this-is-our-session',
})
if r.status_code == 302 and
r.headers['location'].endswith('/login_successful'):
return True
