FIX bypass csrf for XHR calls

2025-04-15 18:13:33 +02:00 · 2025-04-15 18:13:33 +02:00 · 3f2e4a3a6a
commit 3f2e4a3a6a
parent 3f5823403c
2 changed files with 5 additions and 2 deletions
--- a/larigira/dbadmin/init.py
+++ b/larigira/dbadmin/init.py
@ -140,7 +140,7 @@ def is_xhr():
@db.route("/add/time/<kind>", methods=["GET", "POST"])
 def addtime_kind(kind):
    Form, receiver = tuple(forms.get_timeform(kind))
-    form = Form(csrf_enabled=(not is_xhr()))
+    form = Form(meta={'csrf': not is_xhr()})
    if request.method == "POST":
        if form.validate():
            data = receiver(form)
@ -175,7 +175,7 @@ def addaudio():
@db.route("/add/audio/<kind>", methods=["GET", "POST"])
 def addaudio_kind(kind):
    Form, receiver = tuple(forms.get_audioform(kind))
-    form = Form(csrf_enabled=(not is_xhr()))
+    form = Form(meta={'csrf': not is_xhr()})
    if request.method == "POST":
        if form.validate():
            data = receiver(form)
--- a/larigira/rpc.py
+++ b/larigira/rpc.py
@ -6,6 +6,7 @@ from flask import (Blueprint, Flask, abort, current_app, jsonify, redirect,
                   render_template, request)
 from flask_babel import Babel
 from flask_bootstrap import Bootstrap
+from flask_wtf.csrf import CSRFProtect

 from cachelib import SimpleCache
 from greenlet import greenlet
@ -185,6 +186,8 @@ def create_app(queue, larigira):
    Bootstrap(app)
    babel = Babel(app)
    babel.init_app(app, locale_selector=babel_get_locale)
+    csrf = CSRFProtect(app)
+    csrf.exempt(db)
    app.register_blueprint(rpc)
    app.register_blueprint(viewui)
    app.register_blueprint(db)