Issue 361: Include the CSRF token in all forms

2011-09-04 18:16:03 -07:00 · 2011-09-04 18:16:03 -07:00 · 0a8a3fc157
commit 0a8a3fc157
parent f1226c98c4
9 changed files with 9 additions and 0 deletions
--- a/mediagoblin/templates/mediagoblin/auth/login.html
+++ b/mediagoblin/templates/mediagoblin/auth/login.html
@ -22,6 +22,7 @@
 {% block mediagoblin_content %}
  <form action="{{ request.urlgen('mediagoblin.auth.login') }}"
        method="POST" enctype="multipart/form-data">
+    {{ csrf_token }}
    <div class="grid_6 prefix_1 suffix_1 form_box">
      <h1>{% trans %}Log in{% endtrans %}</h1>
      {% if login_failed %}
--- a/mediagoblin/templates/mediagoblin/auth/register.html
+++ b/mediagoblin/templates/mediagoblin/auth/register.html
@ -26,6 +26,7 @@
    <div class="grid_6 prefix_1 suffix_1 form_box">
      <h1>{% trans %}Create an account!{% endtrans %}</h1>
      {{ wtforms_util.render_divs(register_form) }}
+      {{ csrf_token }}
      <div class="form_submit_buttons">
        <input type="submit" value="{% trans %}Create{% endtrans %}"
               class="button" />
--- a/mediagoblin/templates/mediagoblin/edit/attachments.html
+++ b/mediagoblin/templates/mediagoblin/edit/attachments.html
@ -49,6 +49,7 @@
      <div class="form_submit_buttons">
        <a href="{{ media.url_for_self(request.urlgen) }}">Cancel</a>
        <input type="submit" value="Save changes" class="button" />
+	{{ csrf_token }}
      </div>
    </div>
  </form>
--- a/mediagoblin/templates/mediagoblin/edit/edit.html
+++ b/mediagoblin/templates/mediagoblin/edit/edit.html
@ -35,6 +35,7 @@
      <div class="form_submit_buttons">
        <a href="{{ media.url_for_self(request.urlgen) }}">{% trans %}Cancel{% endtrans %}</a>
        <input type="submit" value="{% trans %}Save changes{% endtrans %}" class="button" />
+	{{ csrf_token }}
      </div>
    </div>
  </form>
--- a/mediagoblin/templates/mediagoblin/edit/edit_profile.html
+++ b/mediagoblin/templates/mediagoblin/edit/edit_profile.html
@ -33,6 +33,7 @@
      {{ wtforms_util.render_divs(form) }}
      <div class="form_submit_buttons">
        <input type="submit" value="{% trans %}Save changes{% endtrans %}" class="button" />
+	{{ csrf_token }}
      </div>
    </div>
  </form>
--- a/mediagoblin/templates/mediagoblin/submit/start.html
+++ b/mediagoblin/templates/mediagoblin/submit/start.html
@ -26,6 +26,7 @@
      <h1>{% trans %}Submit yer media{% endtrans %}</h1>
      {{ wtforms_util.render_divs(submit_form) }}
      <div class="form_submit_buttons">
+      {{ csrf_token }}
      <input type="submit" value="{% trans %}Submit{% endtrans %}" class="button" />
      </div>
    </div>
--- a/mediagoblin/templates/mediagoblin/test_submit.html
+++ b/mediagoblin/templates/mediagoblin/test_submit.html
@ -26,6 +26,7 @@
        <tr>
          <td></td>
          <td><input type="submit" value="submit" class="button" /></td>
+	  {{ csrf_token }}
        </tr>
      </table>
    </form>
--- a/mediagoblin/templates/mediagoblin/user_pages/media.html
+++ b/mediagoblin/templates/mediagoblin/user_pages/media.html
@ -72,6 +72,7 @@
          {{ wtforms_util.render_divs(comment_form) }}
          <div class="form_submit_buttons">
            <input type="submit" value="{% trans %}Post comment!{% endtrans %}" class="button" />
+	    {{ csrf_token }}
          </div>
        </form>
      {% endif %}
--- a/mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html
+++ b/mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html
@ -42,6 +42,7 @@
      {{ wtforms_util.render_divs(form) }}
      <div class="form_submit_buttons">
        <input type="submit" value="{% trans %}Save changes{% endtrans %}" class="button" />
+	{{ csrf_token }}
      </div>
    </div>
  </form>