csrf and honeypots

diff --git a/apps/ajaxable/templates/ajaxable/form.html b/apps/ajaxable/templates/ajaxable/form.html
index 84e86e1..38113db 100755 (executable)
--- a/apps/ajaxable/templates/ajaxable/form.html
+++ b/apps/ajaxable/templates/ajaxable/form.html
@@ -1,8 +1,14 @@
 {% load i18n %}
+
 <h1>{{ title }}</h1>
 
 <form action="{{ request.get_full_path }}" method="post" accept-charset="utf-8"
        class="cuteform{% if placeholdize %} hidelabels{% endif %}">
+{% csrf_token %}
+{% if honeypot %}
+    {% load honeypot %}
+    {% render_honeypot_field %}
+{% endif %}
 <ol>
     <div id="id_{% if form_prefix %}{{ form_prefix }}-{% endif %}__all__"></div>
     {{ form.as_ul }}

diff --git a/apps/ajaxable/utils.py b/apps/ajaxable/utils.py
index 02e8767..52cf638 100755 (executable)
--- a/apps/ajaxable/utils.py
+++ b/apps/ajaxable/utils.py
@@ -10,6 +10,7 @@ from django.utils.http import urlquote_plus
 from django.utils import simplejson
 from django.utils.translation import ugettext_lazy as _
 from django.views.decorators.vary import vary_on_headers
+from honeypot.decorators import verify_honeypot_value
 
 
 class LazyEncoder(simplejson.JSONEncoder):
@@ -76,6 +77,7 @@ class AjaxableFormView(object):
     formname = "form"
     form_prefix = None
     full_template = "ajaxable/form_on_page.html"
+    honeypot = False
 
     @method_decorator(vary_on_headers('X-Requested-With'))
     def __call__(self, request, *args, **kwargs):
@@ -86,6 +88,11 @@ class AjaxableFormView(object):
             form_kwargs['prefix'] = self.form_prefix
 
         if request.method == "POST":
+            if self.honeypot:
+                response = verify_honeypot_value(request, None)
+                if response:
+                    return response
+
             # do I need to be logged in?
             if self.POST_login and not request.user.is_authenticated():
                 return require_login(request)
@@ -136,6 +143,7 @@ class AjaxableFormView(object):
         context = {
                 self.formname: form, 
                 "title": title,
+                "honeypot": self.honeypot,
                 "placeholdize": self.placeholdize,
                 "submit": self.submit,
                 "response_data": response_data,

diff --git a/apps/catalogue/templates/catalogue/book_short.html b/apps/catalogue/templates/catalogue/book_short.html
index 1b1eb4b..d9b5b76 100644 (file)
--- a/apps/catalogue/templates/catalogue/book_short.html
+++ b/apps/catalogue/templates/catalogue/book_short.html
@@ -27,6 +27,7 @@
     </div>
     <div class="if-unlike">
         <form id="social-like-book-{{ book.slug }}" data-callback='social-like-book' method='post' class='ajax-form' action='{% url social_like_book book.slug %}'>
+            {% csrf_token %}
             <button type='submit'>☆</button>
         </form>
     </div>

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index 0c05d17..5dff961 100644 (file)
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -556,6 +556,7 @@ class CustomPDFFormView(AjaxableFormView):
     form_class = forms.CustomPDFForm
     title = ugettext_lazy('Download custom PDF')
     submit = ugettext_lazy('Download')
+    honeypot = True
 
     def __call__(self, request):
         from copy import copy

diff --git a/apps/social/templates/social/sets_form.html b/apps/social/templates/social/sets_form.html
index 2ea1a86..c7282fd 100755 (executable)
--- a/apps/social/templates/social/sets_form.html
+++ b/apps/social/templates/social/sets_form.html
@@ -3,11 +3,13 @@
 
 <form action="{% url social_unlike_book view_kwargs.slug %}" method="post" accept-charset="utf-8"
        class="cuteform{% if placeholdize %} hidelabels{% endif %}">
+{% csrf_token %}
     <input type="submit" value="{% trans "Remove from my shelf" %}"/>
 </form>
 
 <form action="{{ request.get_full_path }}" method="post" accept-charset="utf-8"
        class="cuteform{% if placeholdize %} hidelabels{% endif %}">
+{% csrf_token %}
 <ol>
     <div id="id___all__"></div>
     {{ form.as_ul }}

diff --git a/apps/suggest/templates/publishing_suggest.html b/apps/suggest/templates/publishing_suggest.html
index 3e71000..ea1d926 100755 (executable)
--- a/apps/suggest/templates/publishing_suggest.html
+++ b/apps/suggest/templates/publishing_suggest.html
@@ -1,8 +1,11 @@
 {% load i18n %}
+{% load honeypot %}
+
 <h1>{% trans "Didn't find a book? Make a suggestion." %}</h1>
 
 <form id='suggest-publishing-form' action="{% url suggest_publishing %}" method="post" accept-charset="utf-8" class="cuteform">
 {% csrf_token %}
+{% render_honeypot_field %}
 <ol>
     <li><span class="error">{{ form.contact.errors }}</span><label for="id_contact">{{ form.contact.label }}</label> {{ form.contact }}</li>
 

diff --git a/apps/suggest/views.py b/apps/suggest/views.py
index 15b65f2..035074d 100644 (file)
--- a/apps/suggest/views.py
+++ b/apps/suggest/views.py
@@ -6,7 +6,6 @@ from django.utils.translation import ugettext_lazy as _
 
 from ajaxable.utils import AjaxableFormView
 from suggest import forms
-from suggest.models import Suggestion, PublishingSuggestion
 
 
 class PublishingSuggestionFormView(AjaxableFormView):
@@ -14,6 +13,7 @@ class PublishingSuggestionFormView(AjaxableFormView):
     title = _('Report a bug or suggestion')
     template = "publishing_suggest.html"
     success_message = _('Report was sent successfully.')
+    honeypot = True
 
 
 class SuggestionFormView(AjaxableFormView):
@@ -21,3 +21,4 @@ class SuggestionFormView(AjaxableFormView):
     title = _('Report a bug or suggestion')
     submit = _('Send report')
     success_message = _('Report was sent successfully.')
+    honeypot = True

diff --git a/apps/waiter/templates/waiter/wait.html b/apps/waiter/templates/waiter/wait.html
index f4dedc7..a9efecd 100644 (file)
--- a/apps/waiter/templates/waiter/wait.html
+++ b/apps/waiter/templates/waiter/wait.html
@@ -39,7 +39,8 @@
     </div>
 {% else %}
  {% if waiting %}
-    <h1>{% trans "Your file is being prepared, please wait." %}</h1>
+    <h1><img src="{{ STATIC_URL }}img/indicator.gif" alt="{% trans 'Please wait' %}"/>
+        {% trans "Your file is being prepared, please wait." %}</h1>
 
     <div class="normal-text">
     <p>{% blocktrans with d=waiting.description %}The file you requested was: <em>{{d}}</em>.{% endblocktrans %}</p>

diff --git a/apps/wolnelektury_core/templates/admin/catalogue/book/change_list.html b/apps/wolnelektury_core/templates/admin/catalogue/book/change_list.html
index 09e567a..0ec95b2 100644 (file)
--- a/apps/wolnelektury_core/templates/admin/catalogue/book/change_list.html
+++ b/apps/wolnelektury_core/templates/admin/catalogue/book/change_list.html
@@ -3,6 +3,7 @@
 
 {% block content %}
     <form action="{% url import_book %}" method="post" enctype="multipart/form-data">
+    {% csrf_token %}
         <p><input type="file" id="id_book_xml_file" name="book_xml_file" /> <input type="submit" value="{% trans "Import book" %}"/></p>
     </form>
     {{ block.super }}

diff --git a/apps/wolnelektury_core/templates/auth/login.html b/apps/wolnelektury_core/templates/auth/login.html
index 7fbd570..6d71cd5 100644 (file)
--- a/apps/wolnelektury_core/templates/auth/login.html
+++ b/apps/wolnelektury_core/templates/auth/login.html
@@ -3,6 +3,7 @@
 
 <form action="{{ request.get_full_path }}" method="post" accept-charset="utf-8"
        class="cuteform{% if placeholdize %} hidelabels{% endif %}">
+{% csrf_token %}
 <ol>
     <div id="id_{% if form_prefix %}{{ form_prefix }}-{% endif %}__all__"></div>
     {{ form.as_ul }}

diff --git a/apps/wolnelektury_core/templates/auth/login_register.html b/apps/wolnelektury_core/templates/auth/login_register.html
index f879d46..689c1ba 100755 (executable)
--- a/apps/wolnelektury_core/templates/auth/login_register.html
+++ b/apps/wolnelektury_core/templates/auth/login_register.html
@@ -1,5 +1,6 @@
 {% extends "auth/login.html" %}
 {% load i18n %}
+{% load honeypot %}
 
 {% block extra %}
 
@@ -9,6 +10,8 @@
 
 <form action="{% url register %}" method="post" accept-charset="utf-8"
        class="cuteform hidelabels">
+{% csrf_token %}
+{% honeypot_render_field %}
 <ol>
     <div id="id_register-__all__"></div>
     {{ register_form.as_ul }}

diff --git a/apps/wolnelektury_core/templates/piston/authorize_token.html b/apps/wolnelektury_core/templates/piston/authorize_token.html
index 4e45207..0fd06f8 100755 (executable)
--- a/apps/wolnelektury_core/templates/piston/authorize_token.html
+++ b/apps/wolnelektury_core/templates/piston/authorize_token.html
@@ -10,6 +10,7 @@
     <p>{% blocktrans %}Confirm to authorize access to Wolne Lektury as user <strong>{{ user}}</strong>.{% endblocktrans %}</p>
 
     <form action="{% url piston.authentication.oauth_user_auth %}" method="POST">
+    {% csrf_token %}
       {{ form.as_p }}
       <button type="submit">Confirm</button>
     </form>

diff --git a/apps/wolnelektury_core/templates/superbase.html b/apps/wolnelektury_core/templates/superbase.html
index a4a7830..f67d9f3 100644 (file)
--- a/apps/wolnelektury_core/templates/superbase.html
+++ b/apps/wolnelektury_core/templates/superbase.html
@@ -130,6 +130,7 @@
                 <div id="lang-menu-items">
                 {% for lang in LANGUAGES %}
                     <form action="{% url django.views.i18n.set_language %}" method="post">
+                    {% csrf_token %}
                     <input type="hidden" name="language" value="{{ lang.0 }}" />
                     <button type="submit"
                         class="{% ifequal lang.0 LANGUAGE_CODE %}active{% endifequal %} mono"

diff --git a/apps/wolnelektury_core/views.py b/apps/wolnelektury_core/views.py
index 37df778..f8de19e 100644 (file)
--- a/apps/wolnelektury_core/views.py
+++ b/apps/wolnelektury_core/views.py
@@ -53,6 +53,7 @@ class RegisterFormView(AjaxableFormView):
     submit = _('Register')
     ajax_redirect = True
     form_prefix = 'register'
+    honeypot = True
 
     def __call__(self, request):
         if request.user.is_authenticated():

diff --git a/requirements.txt b/requirements.txt
index bf8bb43..81451db 100644 (file)
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,6 +9,7 @@ django-maintenancemode>=0.9
 django-piston
 django-jsonfield
 django-allauth
+django-honeypot
 
 python-memcached
 piwik

diff --git a/wolnelektury/settings/__init__.py b/wolnelektury/settings/__init__.py
index fe091a1..2005797 100644 (file)
--- a/wolnelektury/settings/__init__.py
+++ b/wolnelektury/settings/__init__.py
@@ -6,6 +6,7 @@ from settings.basic import *
 from settings.auth import *
 from settings.cache import *
 from settings.celery import *
+from settings.contrib import *
 from settings.custom import *
 from settings.locale import *
 from settings.static import *
@@ -27,6 +28,7 @@ MIDDLEWARE_CLASSES = [
     'django.middleware.cache.UpdateCacheMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.middleware.doc.XViewMiddleware',
     'pagination.middleware.PaginationMiddleware',
@@ -41,6 +43,7 @@ MIDDLEWARE_CLASSES = [
 ROOT_URLCONF = 'wolnelektury.urls'
 
 INSTALLED_APPS = [
+    'wolnelektury_core',
     # external
     'django.contrib.auth',
     'django.contrib.contenttypes',
@@ -56,6 +59,7 @@ INSTALLED_APPS = [
     'sorl.thumbnail',
     'djcelery',
     'djkombu',
+    'honeypot',
     #    'django_nose',
 
     #allauth stuff
@@ -73,7 +77,6 @@ INSTALLED_APPS = [
     'modeltranslation',
 
     # our
-    'wolnelektury_core',
     'ajaxable',
     'api',
     'catalogue',

diff --git a/wolnelektury/settings/contrib.py b/wolnelektury/settings/contrib.py
new file mode 100644 (file)
index 0000000..ba6603b
--- /dev/null
+++ b/wolnelektury/settings/contrib.py
@@ -0,0 +1 @@
+HONEYPOT_FIELD_NAME = 'miut'