Skip to content
Snippets Groups Projects
Commit 168ed93e authored by Dawid Gaweł's avatar Dawid Gaweł
Browse files

CSRF protection added to some methods

CSRF tokens added to following actions: creating election, editing election, adding trustee.
parent fc7d532a
No related branches found
No related tags found
No related merge requests found
......@@ -11,6 +11,7 @@
{% endif %}
<form class="prettyform" action="" method="POST" id="edit_election_form">
<input type="hidden" name="csrf_token" value="{{csrf_token}}" />
<table class="pretty">
{{election_form.as_table}}
</table>
......
......@@ -11,6 +11,7 @@
{% endif %}
<form class="prettyform" action="" method="POST" id="create_election_form">
<input type="hidden" name="csrf_token" value="{{csrf_token}}" />
<table class="pretty">
{{election_form.as_table}}
</table>
......
......@@ -4,6 +4,7 @@
<h2 class="title">{{election.name}} &mdash; New Trustee <span style="font-size:0.7em;">[<a href="{% url "helios.views.list_trustees_view" election.uuid %}">cancel</a>]</span></h2>
<form method="post" action="">
<input type="hidden" name="csrf_token" value="{{csrf_token}}" />
Name: <input type="text" name="name" size="60" /><br /><br />
Email: <input type="text" name="email" size="60" /><br /><br />
......
......@@ -527,7 +527,9 @@ class ElectionBlackboxTests(WebTest):
"election_type" : "referendum",
"use_voter_aliases": "0",
"use_advanced_audit_features": "1",
"private_p" : "False"}
"private_p" : "False",
'csrf_token': self.client.session['csrf_token']
}
# override with the given
full_election_params.update(election_params)
......@@ -788,7 +790,8 @@ class ElectionBlackboxTests(WebTest):
"election_type" : "election",
"use_voter_aliases": "0",
"use_advanced_audit_features": "1",
"private_p" : "False"})
"private_p" : "False",
'csrf_token': self.client.session['csrf_token']})
election_id = re.match("(.*)/elections/(.*)/view", response['Location']).group(2)
......
......@@ -200,6 +200,7 @@ def election_new(request):
election_form = forms.ElectionForm(initial={'private_p': settings.HELIOS_PRIVATE_DEFAULT,
'help_email': user.info.get("email", '')})
else:
check_csrf(request)
election_form = forms.ElectionForm(request.POST)
if election_form.is_valid():
......@@ -247,6 +248,7 @@ def one_election_edit(request, election):
values[attr_name] = getattr(election, attr_name)
election_form = forms.ElectionForm(values)
else:
check_csrf(request)
election_form = forms.ElectionForm(request.POST)
if election_form.is_valid():
......@@ -399,6 +401,7 @@ def new_trustee(request, election):
if request.method == "GET":
return render_template(request, 'new_trustee', {'election' : election})
else:
check_csrf(request)
# get the public key and the hash, and add it
name = request.POST['name']
email = request.POST['email']
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment