Return-Path: X-Original-To: apmail-incubator-allura-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-allura-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 308CE10C9A for ; Tue, 12 Nov 2013 16:52:15 +0000 (UTC) Received: (qmail 36432 invoked by uid 500); 12 Nov 2013 16:52:14 -0000 Delivered-To: apmail-incubator-allura-dev-archive@incubator.apache.org Received: (qmail 36290 invoked by uid 500); 12 Nov 2013 16:52:06 -0000 Mailing-List: contact allura-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: allura-dev@incubator.apache.org Delivered-To: mailing list allura-dev@incubator.apache.org Received: (qmail 36235 invoked by uid 99); 12 Nov 2013 16:52:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Nov 2013 16:52:03 +0000 X-ASF-Spam-Status: No, hits=-0.1 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of noreply@sourceforge.net designates 216.34.181.60 as permitted sender) Received: from [216.34.181.60] (HELO smtp.ch3.sourceforge.com) (216.34.181.60) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Nov 2013 16:51:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.com; s=x; h=Date:References:In-Reply-To:Message-ID:Subject:Reply-To:From:To:MIME-Version:Content-Type; bh=+u6zQkhuDWMrsbzZE78hccTaUcQFP11Fx/kwafMTfdI=; b=fEz4kyxLEFaJIDdITEVf0VTAjnLBflQrN3D8XDIed3LCJlLC2vbzJJF/AV6JOXDF5j2piSkn0tBM8rRYVaxafW5jG08qz5xwjLO8jMB9OCcBLkl+p/u4HNyREZvOUc93+6XEoKjpcuPz4GMK5RPHeOpDvri5unNQ747mj+XWisc=; Received: from localhost ([127.0.0.1] helo=sfs-alluradaemon-2.v29.ch3.sourceforge.com) by sfs-alluradaemon-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VgHBi-0003zv-2a for allura-dev@incubator.apache.org; Tue, 12 Nov 2013 16:51:38 +0000 Content-Type: multipart/related; boundary="===============0579336272516332394==" MIME-Version: 1.0 To: allura-dev@incubator.apache.org From: "Dave Brondsema" Reply-To: "[allura:tickets] " <5475@tickets.allura.p.re.sf.net> Subject: [allura:tickets] #5475 Move CSRF token insertion from JS to easywidgets Message-ID:

In-Reply-To: <50cf8e2d1be1ce5545da56b8.tickets@allura.p.sourceforge.net> References: <50cf8e2d1be1ce5545da56b8.tickets@allura.p.sourceforge.net> Date: Tue, 12 Nov 2013 16:51:38 +0000 X-Virus-Checked: Checked by ClamAV on apache.org --===============0579336272516332394== Content-Type: multipart/alternative; boundary="===============6364612211285125359==" MIME-Version: 1.0 --===============6364612211285125359== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit - **status**: code-review --> in-progress --- ** [tickets:#5475] Move CSRF token insertion from JS to easywidgets** **Status:** in-progress **Labels:** p3 support 42cc **Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen **Last Updated:** Mon Nov 11, 2013 10:50 PM UTC **Owner:** nobody Standard forms across on Allura have a `_session_id` field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection. For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The `ForgeForm` class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that. AJAX forms can stay as-is, they use JS already anyway. --- Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list. --===============6364612211285125359== MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit
  • status: code-review --> in-progress

[tickets:#5475] Move CSRF token insertion from JS to easywidgets

Status: in-progress
Labels: p3 support 42cc
Created: Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen
Last Updated: Mon Nov 11, 2013 10:50 PM UTC
Owner: nobody

Standard forms across on Allura have a _session_id field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection.

For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The ForgeForm class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that.

AJAX forms can stay as-is, they use JS already anyway.


Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.

--===============6364612211285125359==-- --===============0579336272516332394==--