From cf21ebb1502a1f5b7dfc285b9f9e3af4ede3e993 Mon Sep 17 00:00:00 2001 From: Radek Czajka Date: Fri, 23 Mar 2012 14:09:44 +0100 Subject: [PATCH] csrf and honeypots --- apps/ajaxable/templates/ajaxable/form.html | 6 ++++++ apps/ajaxable/utils.py | 8 ++++++++ apps/catalogue/templates/catalogue/book_short.html | 1 + apps/catalogue/views.py | 1 + apps/social/templates/social/sets_form.html | 2 ++ apps/suggest/templates/publishing_suggest.html | 3 +++ apps/suggest/views.py | 3 ++- apps/waiter/templates/waiter/wait.html | 3 ++- .../templates/admin/catalogue/book/change_list.html | 1 + apps/wolnelektury_core/templates/auth/login.html | 1 + apps/wolnelektury_core/templates/auth/login_register.html | 3 +++ .../templates/piston/authorize_token.html | 1 + apps/wolnelektury_core/templates/superbase.html | 1 + apps/wolnelektury_core/views.py | 1 + requirements.txt | 1 + wolnelektury/settings/__init__.py | 5 ++++- wolnelektury/settings/contrib.py | 1 + 17 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 wolnelektury/settings/contrib.py diff --git a/apps/ajaxable/templates/ajaxable/form.html b/apps/ajaxable/templates/ajaxable/form.html index 84e86e15f..38113dbb6 100755 --- a/apps/ajaxable/templates/ajaxable/form.html +++ b/apps/ajaxable/templates/ajaxable/form.html @@ -1,8 +1,14 @@ {% load i18n %} +

{{ title }}

+{% csrf_token %} +{% if honeypot %} + {% load honeypot %} + {% render_honeypot_field %} +{% endif %}
    {{ form.as_ul }} diff --git a/apps/ajaxable/utils.py b/apps/ajaxable/utils.py index 02e87671e..52cf63833 100755 --- a/apps/ajaxable/utils.py +++ b/apps/ajaxable/utils.py @@ -10,6 +10,7 @@ from django.utils.http import urlquote_plus from django.utils import simplejson from django.utils.translation import ugettext_lazy as _ from django.views.decorators.vary import vary_on_headers +from honeypot.decorators import verify_honeypot_value class LazyEncoder(simplejson.JSONEncoder): @@ -76,6 +77,7 @@ class AjaxableFormView(object): formname = "form" form_prefix = None full_template = "ajaxable/form_on_page.html" + honeypot = False @method_decorator(vary_on_headers('X-Requested-With')) def __call__(self, request, *args, **kwargs): @@ -86,6 +88,11 @@ class AjaxableFormView(object): form_kwargs['prefix'] = self.form_prefix if request.method == "POST": + if self.honeypot: + response = verify_honeypot_value(request, None) + if response: + return response + # do I need to be logged in? if self.POST_login and not request.user.is_authenticated(): return require_login(request) @@ -136,6 +143,7 @@ class AjaxableFormView(object): context = { self.formname: form, "title": title, + "honeypot": self.honeypot, "placeholdize": self.placeholdize, "submit": self.submit, "response_data": response_data, diff --git a/apps/catalogue/templates/catalogue/book_short.html b/apps/catalogue/templates/catalogue/book_short.html index 1b1eb4b43..d9b5b7689 100644 --- a/apps/catalogue/templates/catalogue/book_short.html +++ b/apps/catalogue/templates/catalogue/book_short.html @@ -27,6 +27,7 @@
    + {% csrf_token %}
    diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py index 0c05d17a8..5dff961d4 100644 --- a/apps/catalogue/views.py +++ b/apps/catalogue/views.py @@ -556,6 +556,7 @@ class CustomPDFFormView(AjaxableFormView): form_class = forms.CustomPDFForm title = ugettext_lazy('Download custom PDF') submit = ugettext_lazy('Download') + honeypot = True def __call__(self, request): from copy import copy diff --git a/apps/social/templates/social/sets_form.html b/apps/social/templates/social/sets_form.html index 2ea1a867d..c7282fd9a 100755 --- a/apps/social/templates/social/sets_form.html +++ b/apps/social/templates/social/sets_form.html @@ -3,11 +3,13 @@
    +{% csrf_token %}
    +{% csrf_token %}
      {{ form.as_ul }} diff --git a/apps/suggest/templates/publishing_suggest.html b/apps/suggest/templates/publishing_suggest.html index 3e710008c..ea1d9264f 100755 --- a/apps/suggest/templates/publishing_suggest.html +++ b/apps/suggest/templates/publishing_suggest.html @@ -1,8 +1,11 @@ {% load i18n %} +{% load honeypot %} +

      {% trans "Didn't find a book? Make a suggestion." %}

      {% csrf_token %} +{% render_honeypot_field %}
      1. {{ form.contact.errors }} {{ form.contact }}
      2. diff --git a/apps/suggest/views.py b/apps/suggest/views.py index 15b65f24d..035074d0a 100644 --- a/apps/suggest/views.py +++ b/apps/suggest/views.py @@ -6,7 +6,6 @@ from django.utils.translation import ugettext_lazy as _ from ajaxable.utils import AjaxableFormView from suggest import forms -from suggest.models import Suggestion, PublishingSuggestion class PublishingSuggestionFormView(AjaxableFormView): @@ -14,6 +13,7 @@ class PublishingSuggestionFormView(AjaxableFormView): title = _('Report a bug or suggestion') template = "publishing_suggest.html" success_message = _('Report was sent successfully.') + honeypot = True class SuggestionFormView(AjaxableFormView): @@ -21,3 +21,4 @@ class SuggestionFormView(AjaxableFormView): title = _('Report a bug or suggestion') submit = _('Send report') success_message = _('Report was sent successfully.') + honeypot = True diff --git a/apps/waiter/templates/waiter/wait.html b/apps/waiter/templates/waiter/wait.html index f4dedc77a..a9efecddb 100644 --- a/apps/waiter/templates/waiter/wait.html +++ b/apps/waiter/templates/waiter/wait.html @@ -39,7 +39,8 @@ {% else %} {% if waiting %} -

        {% trans "Your file is being prepared, please wait." %}

        +

        {% trans 'Please wait' %} + {% trans "Your file is being prepared, please wait." %}

        {% blocktrans with d=waiting.description %}The file you requested was: {{d}}.{% endblocktrans %}

        diff --git a/apps/wolnelektury_core/templates/admin/catalogue/book/change_list.html b/apps/wolnelektury_core/templates/admin/catalogue/book/change_list.html index 09e567a5d..0ec95b24d 100644 --- a/apps/wolnelektury_core/templates/admin/catalogue/book/change_list.html +++ b/apps/wolnelektury_core/templates/admin/catalogue/book/change_list.html @@ -3,6 +3,7 @@ {% block content %} + {% csrf_token %}

        {{ block.super }} diff --git a/apps/wolnelektury_core/templates/auth/login.html b/apps/wolnelektury_core/templates/auth/login.html index 7fbd570c0..6d71cd5b4 100644 --- a/apps/wolnelektury_core/templates/auth/login.html +++ b/apps/wolnelektury_core/templates/auth/login.html @@ -3,6 +3,7 @@
        +{% csrf_token %}
          {{ form.as_ul }} diff --git a/apps/wolnelektury_core/templates/auth/login_register.html b/apps/wolnelektury_core/templates/auth/login_register.html index f879d4674..689c1bace 100755 --- a/apps/wolnelektury_core/templates/auth/login_register.html +++ b/apps/wolnelektury_core/templates/auth/login_register.html @@ -1,5 +1,6 @@ {% extends "auth/login.html" %} {% load i18n %} +{% load honeypot %} {% block extra %} @@ -9,6 +10,8 @@ +{% csrf_token %} +{% honeypot_render_field %}
            {{ register_form.as_ul }} diff --git a/apps/wolnelektury_core/templates/piston/authorize_token.html b/apps/wolnelektury_core/templates/piston/authorize_token.html index 4e4520734..0fd06f82c 100755 --- a/apps/wolnelektury_core/templates/piston/authorize_token.html +++ b/apps/wolnelektury_core/templates/piston/authorize_token.html @@ -10,6 +10,7 @@

            {% blocktrans %}Confirm to authorize access to Wolne Lektury as user {{ user}}.{% endblocktrans %}

            + {% csrf_token %} {{ form.as_p }} diff --git a/apps/wolnelektury_core/templates/superbase.html b/apps/wolnelektury_core/templates/superbase.html index a4a7830e2..f67d9f384 100644 --- a/apps/wolnelektury_core/templates/superbase.html +++ b/apps/wolnelektury_core/templates/superbase.html @@ -130,6 +130,7 @@
            {% for lang in LANGUAGES %}
            + {% csrf_token %}