From: Radek Czajka Date: Wed, 5 Oct 2011 13:57:56 +0000 (+0200) Subject: filebrowser csrf issues fix X-Git-Url: https://git.mdrn.pl/redakcja.git/commitdiff_plain/aed5e435ac8246d3ba054059292f8b15ec6c27a7 filebrowser csrf issues fix --- diff --git a/apps/filebrowser/templates/filebrowser/makedir.html b/apps/filebrowser/templates/filebrowser/makedir.html index 2a4466f5..c0320df0 100644 --- a/apps/filebrowser/templates/filebrowser/makedir.html +++ b/apps/filebrowser/templates/filebrowser/makedir.html @@ -34,6 +34,7 @@ {% block content %}
+ {% csrf_token %}
{% if form.errors %}

{% trans 'Please correct the following errors.' %}

{% endif %}
@@ -59,4 +60,4 @@
-{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/apps/filebrowser/templates/filebrowser/rename.html b/apps/filebrowser/templates/filebrowser/rename.html index 4c12830a..19e63f99 100644 --- a/apps/filebrowser/templates/filebrowser/rename.html +++ b/apps/filebrowser/templates/filebrowser/rename.html @@ -34,6 +34,7 @@ {% block content %}
+ {% csrf_token %}
{% if form.errors %}

{% trans 'Please correct the following errors.' %}

{% endif %}
@@ -60,4 +61,4 @@
-{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/apps/filebrowser/views.py b/apps/filebrowser/views.py index 7c2967a4..80ed6968 100644 --- a/apps/filebrowser/views.py +++ b/apps/filebrowser/views.py @@ -15,6 +15,7 @@ from django import forms from django.core.urlresolvers import reverse from django.core.exceptions import ImproperlyConfigured from django.dispatch import Signal +from django.views.decorators.csrf import csrf_exempt from django.utils.encoding import smart_unicode, smart_str @@ -186,6 +187,7 @@ def mkdir(request): mkdir = staff_member_required(never_cache(mkdir)) +@csrf_exempt def upload(request): """ Multipe File Upload. @@ -217,6 +219,7 @@ def upload(request): upload = staff_member_required(never_cache(upload)) +@csrf_exempt def _check_file(request): """ Check if file already exists on the server. @@ -249,6 +252,7 @@ def _upload_file(request): Upload file to the server. """ + print 'a' from django.core.files.move import file_move_safe if request.method == 'POST': @@ -272,7 +276,7 @@ def _upload_file(request): # POST UPLOAD SIGNAL filebrowser_post_upload.send(sender=request, path=request.POST.get('folder'), file=FileObject(os.path.join(DIRECTORY, folder, filedata.name))) return HttpResponse('True') -_upload_file = flash_login_required(_upload_file) +_upload_file = csrf_exempt(flash_login_required(_upload_file)) # delete signals