From ac62b76c18a2c15985ba29431b81c1f400610913 Mon Sep 17 00:00:00 2001 From: Michael Hall Date: Sat, 7 Jul 2018 12:05:07 -0400 Subject: [PATCH] Add csrf checks to join/leave team and event attending status. Fixes #96 --- events/utils.py | 18 ++++++++++++++++++ events/views.py | 5 +++++ .../get_together/events/show_event.html | 18 +++++++++--------- .../get_together/teams/show_team.html | 4 ++-- get_together/views/events.py | 2 ++ 5 files changed, 36 insertions(+), 11 deletions(-) diff --git a/events/utils.py b/events/utils.py index 9a81344..26f12bf 100644 --- a/events/utils.py +++ b/events/utils.py @@ -1,5 +1,8 @@ import re import unicodedata +from django.middleware.csrf import _sanitize_token, _compare_salted_tokens +from django.conf import settings +from django.core.exceptions import PermissionDenied SLUG_OK = '-_~' @@ -19,3 +22,18 @@ def slugify(s, ok=SLUG_OK, lower=True, spaces=False): new = re.sub('[-\s]+', '-', new) return new.lower() if lower else new + +def verify_csrf(token_key='csrftoken'): + + def wrap_view(view_func): + def check_csrf_token(request, *args, **kwargs): + csrf_token = _sanitize_token(request.GET.get(token_key, '')) + match = _compare_salted_tokens(csrf_token, request.COOKIES[settings.CSRF_COOKIE_NAME]) + if not match: + raise PermissionDenied + else: + return view_func(request, *args, **kwargs) + + return check_csrf_token + return wrap_view + diff --git a/events/views.py b/events/views.py index b3e2cee..36a679a 100644 --- a/events/views.py +++ b/events/views.py @@ -11,6 +11,7 @@ from .models.events import Event, EventComment, Place, PlaceSerializer, Attendee from .models.locale import Country ,CountrySerializer, SPR, SPRSerializer, City, CitySerializer from .models.profiles import Team, UserProfile, Member, Sponsor, SponsorSerializer from .forms import EventCommentForm +from .utils import verify_csrf import simplejson @@ -104,7 +105,9 @@ def sponsor_list(request): return Response(serializer.data) +@verify_csrf(token_key='csrftoken') def join_team(request, team_id): + if request.user.is_anonymous: messages.add_message(request, messages.WARNING, message=_('You must be logged in to join a team.')) return redirect('show-team', team_id=team_id) @@ -116,6 +119,8 @@ def join_team(request, team_id): messages.add_message(request, messages.SUCCESS, message=_('Welcome to the team!')) return redirect('show-team', team_id=team_id) + +@verify_csrf(token_key='csrftoken') def leave_team(request, team_id): if request.user.is_anonymous: messages.add_message(request, messages.WARNING, message=_('You must be logged in to leave a team.')) diff --git a/get_together/templates/get_together/events/show_event.html b/get_together/templates/get_together/events/show_event.html index 487a328..b677a95 100644 --- a/get_together/templates/get_together/events/show_event.html +++ b/get_together/templates/get_together/events/show_event.html @@ -124,13 +124,13 @@ {% endif %} {% if not is_attending %}
- Attend + Attend
{% endif %} @@ -287,20 +287,20 @@ {% if attendee.status == attendee.YES %} {% elif attendee.status == attendee.MAYBE %} {% elif attendee.status == attendee.NO %} {% endif %} {% else %} diff --git a/get_together/templates/get_together/teams/show_team.html b/get_together/templates/get_together/teams/show_team.html index 8b2706e..1df005c 100644 --- a/get_together/templates/get_together/teams/show_team.html +++ b/get_together/templates/get_together/teams/show_team.html @@ -35,9 +35,9 @@ Manage Members {% endif %} {% if is_member %} - {% if not team.owner_profile == request.user.profile %}Leave Team{% endif %} + {% if not team.owner_profile == request.user.profile %}Leave Team{% endif %} {% else %} - Join Team + Join Team {% endif %}
diff --git a/get_together/views/events.py b/get_together/views/events.py index 39d9958..03a960f 100644 --- a/get_together/views/events.py +++ b/get_together/views/events.py @@ -43,6 +43,7 @@ from events.forms import ( SponsorForm, ) from events import location +from events.utils import verify_csrf from accounts.models import EmailRecord @@ -421,6 +422,7 @@ def contact_attendee(attendee, body, sender): ) +@verify_csrf(token_key='csrftoken') def attend_event(request, event_id): event = get_object_or_404(Event, id=event_id) if request.user.is_anonymous: