diff --git a/events/utils.py b/events/utils.py
index 9a81344..26f12bf 100644
--- a/events/utils.py
+++ b/events/utils.py
@@ -1,5 +1,8 @@
import re
import unicodedata
+from django.middleware.csrf import _sanitize_token, _compare_salted_tokens
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
SLUG_OK = '-_~'
@@ -19,3 +22,18 @@ def slugify(s, ok=SLUG_OK, lower=True, spaces=False):
new = re.sub('[-\s]+', '-', new)
return new.lower() if lower else new
+
+def verify_csrf(token_key='csrftoken'):
+
+ def wrap_view(view_func):
+ def check_csrf_token(request, *args, **kwargs):
+ csrf_token = _sanitize_token(request.GET.get(token_key, ''))
+ match = _compare_salted_tokens(csrf_token, request.COOKIES[settings.CSRF_COOKIE_NAME])
+ if not match:
+ raise PermissionDenied
+ else:
+ return view_func(request, *args, **kwargs)
+
+ return check_csrf_token
+ return wrap_view
+
diff --git a/events/views.py b/events/views.py
index b3e2cee..36a679a 100644
--- a/events/views.py
+++ b/events/views.py
@@ -11,6 +11,7 @@ from .models.events import Event, EventComment, Place, PlaceSerializer, Attendee
from .models.locale import Country ,CountrySerializer, SPR, SPRSerializer, City, CitySerializer
from .models.profiles import Team, UserProfile, Member, Sponsor, SponsorSerializer
from .forms import EventCommentForm
+from .utils import verify_csrf
import simplejson
@@ -104,7 +105,9 @@ def sponsor_list(request):
return Response(serializer.data)
+@verify_csrf(token_key='csrftoken')
def join_team(request, team_id):
+
if request.user.is_anonymous:
messages.add_message(request, messages.WARNING, message=_('You must be logged in to join a team.'))
return redirect('show-team', team_id=team_id)
@@ -116,6 +119,8 @@ def join_team(request, team_id):
messages.add_message(request, messages.SUCCESS, message=_('Welcome to the team!'))
return redirect('show-team', team_id=team_id)
+
+@verify_csrf(token_key='csrftoken')
def leave_team(request, team_id):
if request.user.is_anonymous:
messages.add_message(request, messages.WARNING, message=_('You must be logged in to leave a team.'))
diff --git a/get_together/templates/get_together/events/show_event.html b/get_together/templates/get_together/events/show_event.html
index 487a328..b677a95 100644
--- a/get_together/templates/get_together/events/show_event.html
+++ b/get_together/templates/get_together/events/show_event.html
@@ -124,13 +124,13 @@
{% endif %}
{% if not is_attending %}
{% endif %}
@@ -287,20 +287,20 @@
{% if attendee.status == attendee.YES %}
{{ attendee.status_name }}
{% elif attendee.status == attendee.MAYBE %}
{{ attendee.status_name }}
{% elif attendee.status == attendee.NO %}
{{ attendee.status_name }}
{% endif %}
{% else %}
diff --git a/get_together/templates/get_together/teams/show_team.html b/get_together/templates/get_together/teams/show_team.html
index 8b2706e..1df005c 100644
--- a/get_together/templates/get_together/teams/show_team.html
+++ b/get_together/templates/get_together/teams/show_team.html
@@ -35,9 +35,9 @@
Manage Members
{% endif %}
{% if is_member %}
- {% if not team.owner_profile == request.user.profile %}Leave Team{% endif %}
+ {% if not team.owner_profile == request.user.profile %}Leave Team{% endif %}
{% else %}
- Join Team
+ Join Team
{% endif %}
diff --git a/get_together/views/events.py b/get_together/views/events.py
index 39d9958..03a960f 100644
--- a/get_together/views/events.py
+++ b/get_together/views/events.py
@@ -43,6 +43,7 @@ from events.forms import (
SponsorForm,
)
from events import location
+from events.utils import verify_csrf
from accounts.models import EmailRecord
@@ -421,6 +422,7 @@ def contact_attendee(attendee, body, sender):
)
+@verify_csrf(token_key='csrftoken')
def attend_event(request, event_id):
event = get_object_or_404(Event, id=event_id)
if request.user.is_anonymous: