filebrowser csrf issues fix

author Radek Czajka <radoslaw.czajka@nowoczesnapolska.org.pl>

Wed, 5 Oct 2011 13:57:56 +0000 (15:57 +0200)

committer Radek Czajka <radoslaw.czajka@nowoczesnapolska.org.pl>

Wed, 5 Oct 2011 13:57:56 +0000 (15:57 +0200)
author Radek Czajka <radoslaw.czajka@nowoczesnapolska.org.pl>
Wed, 5 Oct 2011 13:57:56 +0000 (15:57 +0200)
committer Radek Czajka <radoslaw.czajka@nowoczesnapolska.org.pl>
Wed, 5 Oct 2011 13:57:56 +0000 (15:57 +0200)
diff --git a/apps/filebrowser/templates/filebrowser/makedir.html b/apps/filebrowser/templates/filebrowser/makedir.html

index 2a4466f..c0320df 100644 (file)
--- a/apps/filebrowser/templates/filebrowser/makedir.html
+++ b/apps/filebrowser/templates/filebrowser/makedir.html
@@ -34,6 +34,7 @@
  {% block content %}
  <div id="content-main">
      <form action="{% query_string %}" method="post">
  {% block content %}
  <div id="content-main">
      <form action="{% query_string %}" method="post">
+    {% csrf_token %}
      <div>
          {% if form.errors %}<p class="errornote">{% trans 'Please correct the following errors.' %}</p>{% endif %}
          <fieldset class="module aligned">
      <div>
          {% if form.errors %}<p class="errornote">{% trans 'Please correct the following errors.' %}</p>{% endif %}
          <fieldset class="module aligned">
@@ -59,4 +60,4 @@
      </div>
      </form>
  </div>
      </div>
      </form>
  </div>
-{% endblock %}
-\ No newline at end of file
+{% endblock %}
diff --git a/apps/filebrowser/templates/filebrowser/rename.html b/apps/filebrowser/templates/filebrowser/rename.html

index 4c12830..19e63f9 100644 (file)
--- a/apps/filebrowser/templates/filebrowser/rename.html
+++ b/apps/filebrowser/templates/filebrowser/rename.html
@@ -34,6 +34,7 @@
  {% block content %}
  <div id="content-main">
      <form action="{% query_string "" "filter_date,filter_type,q" %}" method="post">
  {% block content %}
  <div id="content-main">
      <form action="{% query_string "" "filter_date,filter_type,q" %}" method="post">
+    {% csrf_token %}
      <div>
          {% if form.errors %}<p class="errornote">{% trans 'Please correct the following errors.' %}</p>{% endif %}
          <fieldset class="module aligned">
      <div>
          {% if form.errors %}<p class="errornote">{% trans 'Please correct the following errors.' %}</p>{% endif %}
          <fieldset class="module aligned">
@@ -60,4 +61,4 @@
      </div>
      </form>
  </div>
      </div>
      </form>
  </div>
-{% endblock %}
-\ No newline at end of file
+{% endblock %}
diff --git a/apps/filebrowser/views.py b/apps/filebrowser/views.py

index 7c2967a..80ed696 100644 (file)
--- a/apps/filebrowser/views.py
+++ b/apps/filebrowser/views.py
@@ -15,6 +15,7 @@ from django import forms
  from django.core.urlresolvers import reverse
  from django.core.exceptions import ImproperlyConfigured
  from django.dispatch import Signal
  from django.core.urlresolvers import reverse
  from django.core.exceptions import ImproperlyConfigured
  from django.dispatch import Signal
+from django.views.decorators.csrf import csrf_exempt
  
  from django.utils.encoding import smart_unicode, smart_str
  
  
  from django.utils.encoding import smart_unicode, smart_str
  
@@ -186,6 +187,7 @@ def mkdir(request):
  mkdir = staff_member_required(never_cache(mkdir))
  
  
  mkdir = staff_member_required(never_cache(mkdir))
  
  
+@csrf_exempt
  def upload(request):
      """
      Multipe File Upload.
  def upload(request):
      """
      Multipe File Upload.
@@ -217,6 +219,7 @@ def upload(request):
  upload = staff_member_required(never_cache(upload))
  
  
  upload = staff_member_required(never_cache(upload))
  
  
+@csrf_exempt
  def _check_file(request):
      """
      Check if file already exists on the server.
  def _check_file(request):
      """
      Check if file already exists on the server.
@@ -249,6 +252,7 @@ def _upload_file(request):
      Upload file to the server.
      """
  
      Upload file to the server.
      """
  
+    print 'a'
      from django.core.files.move import file_move_safe
  
      if request.method == 'POST':
      from django.core.files.move import file_move_safe
  
      if request.method == 'POST':
@@ -272,7 +276,7 @@ def _upload_file(request):
              # POST UPLOAD SIGNAL
              filebrowser_post_upload.send(sender=request, path=request.POST.get('folder'), file=FileObject(os.path.join(DIRECTORY, folder, filedata.name)))
      return HttpResponse('True')
              # POST UPLOAD SIGNAL
              filebrowser_post_upload.send(sender=request, path=request.POST.get('folder'), file=FileObject(os.path.join(DIRECTORY, folder, filedata.name)))
      return HttpResponse('True')
-_upload_file = flash_login_required(_upload_file)
+_upload_file = csrf_exempt(flash_login_required(_upload_file))
  
  
  # delete signals
  
  
  # delete signals
author	Radek Czajka <radoslaw.czajka@nowoczesnapolska.org.pl>
	Wed, 5 Oct 2011 13:57:56 +0000 (15:57 +0200)
committer	Radek Czajka <radoslaw.czajka@nowoczesnapolska.org.pl>
	Wed, 5 Oct 2011 13:57:56 +0000 (15:57 +0200)
apps/filebrowser/templates/filebrowser/makedir.html		patch \| blob \| history
apps/filebrowser/templates/filebrowser/rename.html		patch \| blob \| history
apps/filebrowser/views.py		patch \| blob \| history