CSRF protection added to some methods

CSRF tokens added to following actions: creating election, editing election, adding trustee.

CSRF protection added to some methods
168ed93e · Dawid Gaweł · fc7d532a · 168ed93e · 168ed93e · 168ed93e
Commit 168ed93e authored Dec 30, 2015 by Dawid Gaweł
--- a/helios/templates/election_edit.html
+++ b/helios/templates/election_edit.html
@@ -11,6 +11,7 @@
 {% endif %}
  
  <form class="prettyform" action="" method="POST" id="edit_election_form">
+    <input type="hidden" name="csrf_token" value="{{csrf_token}}" />
    <table class="pretty">
     {{election_form.as_table}}
     </table>

--- a/helios/templates/election_new.html
+++ b/helios/templates/election_new.html
@@ -11,6 +11,7 @@
 {% endif %}
  
  <form class="prettyform" action="" method="POST" id="create_election_form">
+    <input type="hidden" name="csrf_token" value="{{csrf_token}}" />
    <table class="pretty">
     {{election_form.as_table}}
     </table>

--- a/helios/templates/new_trustee.html
+++ b/helios/templates/new_trustee.html
@@ -4,6 +4,7 @@
  <h2 class="title">{{election.name}} &mdash; New Trustee <span style="font-size:0.7em;">[<a href="{% url "helios.views.list_trustees_view" election.uuid %}">cancel</a>]</span></h2>
  
 <form method="post" action="">
+<input type="hidden" name="csrf_token" value="{{csrf_token}}" />
 Name: <input type="text" name="name" size="60" /><br /><br />
 Email: <input type="text" name="email" size="60" /><br /><br />


--- a/helios/tests.py
+++ b/helios/tests.py
@@ -527,7 +527,9 @@ class ElectionBlackboxTests(WebTest):
            "election_type" : "referendum",
            "use_voter_aliases": "0",
            "use_advanced_audit_features": "1",
-            "private_p" : "False"}
+            "private_p" : "False",
+            'csrf_token': self.client.session['csrf_token']
+        }

        # override with the given
        full_election_params.update(election_params)
@@ -788,7 +790,8 @@ class ElectionBlackboxTests(WebTest):
                "election_type" : "election",
                "use_voter_aliases": "0",
                "use_advanced_audit_features": "1",
-                "private_p" : "False"})
+                "private_p" : "False",
+                'csrf_token': self.client.session['csrf_token']})

        election_id = re.match("(.*)/elections/(.*)/view", response['Location']).group(2)


--- a/helios/views.py
+++ b/helios/views.py
@@ -200,6 +200,7 @@ def election_new(request):
    election_form = forms.ElectionForm(initial={'private_p': settings.HELIOS_PRIVATE_DEFAULT,
                                                'help_email': user.info.get("email", '')})
  else:
+    check_csrf(request)
    election_form = forms.ElectionForm(request.POST)
    
    if election_form.is_valid():
@@ -247,6 +248,7 @@ def one_election_edit(request, election):
      values[attr_name] = getattr(election, attr_name)
    election_form = forms.ElectionForm(values)
  else:
+    check_csrf(request)
    election_form = forms.ElectionForm(request.POST)
    
    if election_form.is_valid():
@@ -399,6 +401,7 @@ def new_trustee(request, election):
  if request.method == "GET":
    return render_template(request, 'new_trustee', {'election' : election})
  else:
+    check_csrf(request)
    # get the public key and the hash, and add it
    name = request.POST['name']
    email = request.POST['email']