From: Radek Czajka <radoslaw.czajka@nowoczesnapolska.org.pl>
Date: Wed, 5 Oct 2011 13:57:56 +0000 (+0200)
Subject: filebrowser csrf issues fix
X-Git-Url: https://git.mdrn.pl/redakcja.git/commitdiff_plain/aed5e435ac8246d3ba054059292f8b15ec6c27a7?hp=d3802aac61418039b0951f7fcfdd3dcc1ae299af

filebrowser csrf issues fix
---

diff --git a/apps/filebrowser/templates/filebrowser/makedir.html b/apps/filebrowser/templates/filebrowser/makedir.html
index 2a4466f5..c0320df0 100644
--- a/apps/filebrowser/templates/filebrowser/makedir.html
+++ b/apps/filebrowser/templates/filebrowser/makedir.html
@@ -34,6 +34,7 @@
 {% block content %}
 <div id="content-main">
     <form action="{% query_string %}" method="post">
+    {% csrf_token %}
     <div>
         {% if form.errors %}<p class="errornote">{% trans 'Please correct the following errors.' %}</p>{% endif %}
         <fieldset class="module aligned">
@@ -59,4 +60,4 @@
     </div>
     </form>
 </div>
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/apps/filebrowser/templates/filebrowser/rename.html b/apps/filebrowser/templates/filebrowser/rename.html
index 4c12830a..19e63f99 100644
--- a/apps/filebrowser/templates/filebrowser/rename.html
+++ b/apps/filebrowser/templates/filebrowser/rename.html
@@ -34,6 +34,7 @@
 {% block content %}
 <div id="content-main">
     <form action="{% query_string "" "filter_date,filter_type,q" %}" method="post">
+    {% csrf_token %}
     <div>
         {% if form.errors %}<p class="errornote">{% trans 'Please correct the following errors.' %}</p>{% endif %}
         <fieldset class="module aligned">
@@ -60,4 +61,4 @@
     </div>
     </form>
 </div>
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/apps/filebrowser/views.py b/apps/filebrowser/views.py
index 7c2967a4..80ed6968 100644
--- a/apps/filebrowser/views.py
+++ b/apps/filebrowser/views.py
@@ -15,6 +15,7 @@ from django import forms
 from django.core.urlresolvers import reverse
 from django.core.exceptions import ImproperlyConfigured
 from django.dispatch import Signal
+from django.views.decorators.csrf import csrf_exempt
 
 from django.utils.encoding import smart_unicode, smart_str
 
@@ -186,6 +187,7 @@ def mkdir(request):
 mkdir = staff_member_required(never_cache(mkdir))
 
 
+@csrf_exempt
 def upload(request):
     """
     Multipe File Upload.
@@ -217,6 +219,7 @@ def upload(request):
 upload = staff_member_required(never_cache(upload))
 
 
+@csrf_exempt
 def _check_file(request):
     """
     Check if file already exists on the server.
@@ -249,6 +252,7 @@ def _upload_file(request):
     Upload file to the server.
     """
 
+    print 'a'
     from django.core.files.move import file_move_safe
 
     if request.method == 'POST':
@@ -272,7 +276,7 @@ def _upload_file(request):
             # POST UPLOAD SIGNAL
             filebrowser_post_upload.send(sender=request, path=request.POST.get('folder'), file=FileObject(os.path.join(DIRECTORY, folder, filedata.name)))
     return HttpResponse('True')
-_upload_file = flash_login_required(_upload_file)
+_upload_file = csrf_exempt(flash_login_required(_upload_file))
 
 
 # delete signals