Return-Path: X-Original-To: apmail-incubator-allura-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-allura-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B858910F9A for ; Fri, 1 Nov 2013 08:23:46 +0000 (UTC) Received: (qmail 99639 invoked by uid 500); 1 Nov 2013 08:23:45 -0000 Delivered-To: apmail-incubator-allura-dev-archive@incubator.apache.org Received: (qmail 99612 invoked by uid 500); 1 Nov 2013 08:23:44 -0000 Mailing-List: contact allura-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: allura-dev@incubator.apache.org Delivered-To: mailing list allura-dev@incubator.apache.org Received: (qmail 99588 invoked by uid 99); 1 Nov 2013 08:23:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Nov 2013 08:23:42 +0000 X-ASF-Spam-Status: No, hits=-0.1 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of noreply@sourceforge.net designates 216.34.181.60 as permitted sender) Received: from [216.34.181.60] (HELO smtp.ch3.sourceforge.com) (216.34.181.60) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Nov 2013 08:23:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.com; s=x; h=Date:References:In-Reply-To:Message-ID:Subject:Reply-To:From:To:MIME-Version:Content-Type; bh=h/WzwTu7xdtu0S3ebeBVHz9Vk0DoY5/GFDKLESGYefM=; b=qfezdRQfUsnK9Q2P8a8YKiC+Xbwj6RtvYU0GYIPHNnmb2P7pLt+8uwGFd7q7/v3TgVpeL4KtsgKASzaNjQePejiZduLVDuNitpJ4j7j3B/tdYTqr3vbgTD58DKDMYe4F4sal72FRsASRGWE5KckfDecCQ2lBMyQnbBRrlVoIQiA=; Received: from localhost ([127.0.0.1] helo=sfs-alluradaemon-4.v29.ch3.sourceforge.com) by sfs-alluradaemon-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VcA0j-0004hH-As for allura-dev@incubator.apache.org; Fri, 01 Nov 2013 08:23:17 +0000 Content-Type: multipart/related; boundary="===============1505932243290441205==" MIME-Version: 1.0 To: "[allura:tickets] " <5475@tickets.allura.p.re.sf.net> From: "Igor Bondarenko" Reply-To: "[allura:tickets] " <5475@tickets.allura.p.re.sf.net> Subject: [allura:tickets] #5475 Move CSRF token insertion from JS to easywidgets Message-ID:

In-Reply-To: <50cf8e2d1be1ce5545da56b8.tickets@allura.p.sourceforge.net> References: <50cf8e2d1be1ce5545da56b8.tickets@allura.p.sourceforge.net> Date: Fri, 01 Nov 2013 08:23:17 +0000 X-Virus-Checked: Checked by ClamAV on apache.org --===============1505932243290441205== Content-Type: multipart/alternative; boundary="===============4825799518111086301==" MIME-Version: 1.0 --===============4825799518111086301== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit - **status**: open --> in-progress --- ** [tickets:#5475] Move CSRF token insertion from JS to easywidgets** **Status:** in-progress **Labels:** p3 support 42cc **Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen **Last Updated:** Thu Oct 31, 2013 07:37 PM UTC **Owner:** nobody Standard forms across on Allura have a `_session_id` field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection. For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The `ForgeForm` class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that. AJAX forms can stay as-is, they use JS already anyway. --- Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list. --===============4825799518111086301== MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit
  • status: open --> in-progress

[tickets:#5475] Move CSRF token insertion from JS to easywidgets

Status: in-progress
Labels: p3 support 42cc
Created: Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen
Last Updated: Thu Oct 31, 2013 07:37 PM UTC
Owner: nobody

Standard forms across on Allura have a _session_id field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection.

For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The ForgeForm class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that.

AJAX forms can stay as-is, they use JS already anyway.

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.

--===============4825799518111086301==-- --===============1505932243290441205==--