mirror of
https://github.com/yuukiwww/taiko-web.git
synced 2024-10-22 17:05:49 +02:00
anti-csrf
This commit is contained in:
parent
873bd1a73e
commit
1e7477dd96
4
app.py
4
app.py
@ -14,6 +14,7 @@ from functools import wraps
|
||||
from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash
|
||||
from flask_caching import Cache
|
||||
from flask_session import Session
|
||||
from flask_wtf.csrf import CSRFProtect, generate_csrf
|
||||
from ffmpy import FFmpeg
|
||||
from pymongo import MongoClient
|
||||
|
||||
@ -26,6 +27,7 @@ app.config['SESSION_COOKIE_HTTPONLY'] = False
|
||||
app.cache = Cache(app, config=config.REDIS)
|
||||
sess = Session()
|
||||
sess.init_app(app)
|
||||
csrf = CSRFProtect(app)
|
||||
|
||||
db = client[config.MONGO['database']]
|
||||
db.users.create_index('username', unique=True)
|
||||
@ -106,6 +108,7 @@ def get_config():
|
||||
config_out['assets_baseurl'] = ''.join([request.host_url, 'assets']) + '/'
|
||||
|
||||
config_out['_version'] = get_version()
|
||||
config_out['_csrf_token'] = generate_csrf()
|
||||
return config_out
|
||||
|
||||
|
||||
@ -126,7 +129,6 @@ def get_version():
|
||||
|
||||
|
||||
@app.route('/')
|
||||
@app.cache.cached(timeout=15)
|
||||
def route_index():
|
||||
version = get_version()
|
||||
return render_template('index.html', version=version, config=get_config())
|
||||
|
@ -423,6 +423,7 @@ class Account{
|
||||
})
|
||||
if(obj){
|
||||
request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
|
||||
request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token)
|
||||
request.send(JSON.stringify(obj))
|
||||
}else{
|
||||
request.send()
|
||||
|
@ -6,6 +6,7 @@
|
||||
{% endfor %}
|
||||
<div class="song-form">
|
||||
<form method="post">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
|
||||
<div class="form-field">
|
||||
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled"{% if song.enabled %} checked{% endif %}{% if admin.user_level < 100 %} disabled {% endif %}><label for="enabled"> Enabled</label></span>
|
||||
@ -124,6 +125,7 @@
|
||||
</form>
|
||||
{% if admin.user_level >= 100 %}
|
||||
<form class="delete-song" method="post" action="/admin/songs/{{song.id}}/delete" onsubmit="return confirm('Are you sure you wish to delete this song?');">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
<button type="submit">Delete song</button>
|
||||
</form>
|
||||
{% endif %}
|
||||
|
@ -6,9 +6,10 @@
|
||||
{% endfor %}
|
||||
<div class="song-form">
|
||||
<form method="post">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||
|
||||
<div class="form-field">
|
||||
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled" checked><label for="enabled"> Enabled</label></span>
|
||||
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled"><label for="enabled"> Enabled</label></span>
|
||||
</div>
|
||||
|
||||
<div class="form-field">
|
||||
|
Loading…
Reference in New Issue
Block a user