Return-Path:
[tickets:#5475] Move CSRF token insertion from JS to easywidgets
Status: in-progress
Labels: p3 support 42cc
Created: Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen
Last Updated: Thu Oct 31, 2013 07:37 PM UTC
Owner: nobody
Standard forms across on Allura have a _session_id
field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection.
For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The ForgeForm
class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that.
AJAX forms can stay as-is, they use JS already anyway.
Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.