Commit e0f5a9e5 authored by Mathis Dedial's avatar Mathis Dedial
Browse files

Protect against CSRF

parent d87f82be
Pipeline #2746 skipped with stage
from flask import Flask, g, session
from flask_wtf.csrf import CSRFProtect
from .models import db
from nethz.ldap import AuthenticatedLdap
......@@ -11,6 +12,9 @@ app.secret_key = app.config['SECRET_KEY']
ldap_connector = AuthenticatedLdap(app.config['LDAP_USERNAME'],
app.config['LDAP_PASSWORD'])
# Initialize CSRFProtect extension
csrf = CSRFProtect(app)
# Bind SQLAlchemy to Flask app
db.init_app(app)
......
......@@ -125,6 +125,7 @@
<input class="form-control" id="input_name" name="name" type="text" placeholder="Give your burger a name">
<input class="form-control" id="input_description" name="description" type="text" placeholder="Describe your burger"> <br/>
<input class="btn btn-primary" type="submit" value="Create Burger">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
</div>
</section>
</div>
......
......@@ -64,13 +64,17 @@
<h4 class="text-secondary mb-3">{{ burger.vote_count }} Votes</h4>
<form action="/vote" method="POST">
{% if not burger.vote_id %}
<button class="btn btn-primary" type="submit">
<img src="static/images/like.png" alt="Like"> Like
</button>
<input type="hidden" name="action" value="like"> {% else %}
<button class="btn btn-muted" type="submit">Unlike</button>
<input type="hidden" name="action" value="unlike"> {% endif %}
<button class="btn btn-primary" type="submit">
<img src="static/images/like.png" alt="Like"> Like
</button>
<input type="hidden" name="action" value="like">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
{% else %}
<button class="btn btn-muted" type="submit">Unlike</button>
<input type="hidden" name="action" value="unlike">
{% endif %}
<input type="hidden" name="burger_id" value="{{ burger.id }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
</form>
</div>
</div>
......
......@@ -4,6 +4,7 @@ Flask==0.12.2
Flask-Login==0.4.1
Flask-SQLAlchemy==2.3.2
Flask-Webpack==0.1.0
Flask-WTF==0.14.2
isort==4.3.4
itsdangerous==0.24
Jinja2==2.10
......@@ -11,6 +12,7 @@ lazy-object-proxy==1.3.1
ldap3==2.4.1
MarkupSafe==1.0
mccabe==0.6.1
-e git+https://github.com/NotSpecial/nethz.git@1d3004081c3618f1f41463476a847b0bddd6d91a#egg=nethz
pyasn1==0.4.2
pyldap==2.4.45
pylint==1.8.2
......@@ -19,4 +21,4 @@ six==1.11.0
SQLAlchemy==1.2.3
Werkzeug==0.14.1
wrapt==1.10.11
-e git+https://github.com/NotSpecial/nethz.git#egg=nethz
WTForms==2.1
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment