incubator-allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Igor Bondarenko" <jetm...@users.sf.net>
Subject [allura:tickets] #5475 Move CSRF token insertion from JS to easywidgets
Date Mon, 11 Nov 2013 11:16:26 GMT
Closed #472, #473

`je/42cc_5475`


---

** [tickets:#5475] Move CSRF token insertion from JS to easywidgets**

**Status:** code-review
**Labels:** p3 support 42cc 
**Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen
**Last Updated:** Fri Nov 01, 2013 08:23 AM UTC
**Owner:** nobody

Standard forms across on Allura have a `_session_id` field inserted by JS.  AJAX forms insert
it themselves.  This is for CSRF protection.

For the standard forms, we can make them work without JS by inserting the field server-side
instead of client-side.  The `ForgeForm` class seems like a useful place to do this.  Other
manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around
too probably) will need it in the jinja template.  A one-line macro seems like a good way
to handle that.

AJAX forms can stay as-is, they use JS already anyway.


---

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message