From 168ed93e64722bc42d86f1881e3dd5872787271c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dawid=20Gawe=C5=82?= <daw.gawel@gmail.com> Date: Wed, 30 Dec 2015 23:29:06 +0100 Subject: [PATCH] CSRF protection added to some methods CSRF tokens added to following actions: creating election, editing election, adding trustee. --- helios/templates/election_edit.html | 1 + helios/templates/election_new.html | 1 + helios/templates/new_trustee.html | 1 + helios/tests.py | 7 +++++-- helios/views.py | 3 +++ 5 files changed, 11 insertions(+), 2 deletions(-) diff --git a/helios/templates/election_edit.html b/helios/templates/election_edit.html index 0c6c08c..2519fb7 100644 --- a/helios/templates/election_edit.html +++ b/helios/templates/election_edit.html @@ -11,6 +11,7 @@ {% endif %} <form class="prettyform" action="" method="POST" id="edit_election_form"> + <input type="hidden" name="csrf_token" value="{{csrf_token}}" /> <table class="pretty"> {{election_form.as_table}} </table> diff --git a/helios/templates/election_new.html b/helios/templates/election_new.html index 43a602f..1e5e2ec 100644 --- a/helios/templates/election_new.html +++ b/helios/templates/election_new.html @@ -11,6 +11,7 @@ {% endif %} <form class="prettyform" action="" method="POST" id="create_election_form"> + <input type="hidden" name="csrf_token" value="{{csrf_token}}" /> <table class="pretty"> {{election_form.as_table}} </table> diff --git a/helios/templates/new_trustee.html b/helios/templates/new_trustee.html index d41079c..0df1a27 100644 --- a/helios/templates/new_trustee.html +++ b/helios/templates/new_trustee.html @@ -4,6 +4,7 @@ <h2 class="title">{{election.name}} — New Trustee <span style="font-size:0.7em;">[<a href="{% url "helios.views.list_trustees_view" election.uuid %}">cancel</a>]</span></h2> <form method="post" action=""> +<input type="hidden" name="csrf_token" value="{{csrf_token}}" /> Name: <input type="text" name="name" size="60" /><br /><br /> Email: <input type="text" name="email" size="60" /><br /><br /> diff --git a/helios/tests.py b/helios/tests.py index b3ed32a..9389c4f 100644 --- a/helios/tests.py +++ b/helios/tests.py @@ -527,7 +527,9 @@ class ElectionBlackboxTests(WebTest): "election_type" : "referendum", "use_voter_aliases": "0", "use_advanced_audit_features": "1", - "private_p" : "False"} + "private_p" : "False", + 'csrf_token': self.client.session['csrf_token'] + } # override with the given full_election_params.update(election_params) @@ -788,7 +790,8 @@ class ElectionBlackboxTests(WebTest): "election_type" : "election", "use_voter_aliases": "0", "use_advanced_audit_features": "1", - "private_p" : "False"}) + "private_p" : "False", + 'csrf_token': self.client.session['csrf_token']}) election_id = re.match("(.*)/elections/(.*)/view", response['Location']).group(2) diff --git a/helios/views.py b/helios/views.py index f218a1a..ec998fb 100644 --- a/helios/views.py +++ b/helios/views.py @@ -200,6 +200,7 @@ def election_new(request): election_form = forms.ElectionForm(initial={'private_p': settings.HELIOS_PRIVATE_DEFAULT, 'help_email': user.info.get("email", '')}) else: + check_csrf(request) election_form = forms.ElectionForm(request.POST) if election_form.is_valid(): @@ -247,6 +248,7 @@ def one_election_edit(request, election): values[attr_name] = getattr(election, attr_name) election_form = forms.ElectionForm(values) else: + check_csrf(request) election_form = forms.ElectionForm(request.POST) if election_form.is_valid(): @@ -399,6 +401,7 @@ def new_trustee(request, election): if request.method == "GET": return render_template(request, 'new_trustee', {'election' : election}) else: + check_csrf(request) # get the public key and the hash, and add it name = request.POST['name'] email = request.POST['email'] -- GitLab