informatic
/
kasownik
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix (some) CSRFs

refucktor
informatic 2018-03-13 12:00:04 +01:00
parent f60e45df08
commit ce179f14d4
4 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
web/webapp/admin.py
View File

@ -63,7 +63,7 @@ def admin_ldap_sync():
form.starving_to_remove.default = diff['starving_to_remove']
form.process(request.form)
if request.method == "POST" and form.validate():
if form.validate():
changes = {'fatty': {}, 'starving': {}}
changes['fatty']['add'] = form.fatty_to_add.data
changes['fatty']['remove'] = form.fatty_to_remove.data
@ -263,7 +263,7 @@ def sendspam():
form.process(request.form)
if request.method == 'POST' and form.validate():
if form.validate():
spam = []
for member in members:
if member.id not in form.members.data:
@ -281,7 +281,7 @@ def sendspam():
continue
msg = MIMEText(content, "plain", "utf-8")
msg["From"] = "Faszysta Hackerspace'owy <fascist@hackerspace.pl>"
msg["From"] = "Kasownik Hackerspace'owy <kasownik@hackerspace.pl>"
msg["Subject"] = "Stan składek na dzień %s" % now.strftime("%d/%m/%Y")
msg["To"] = member.get_contact_email()
spam.append(msg)

6
web/webapp/forms.py
View File

@ -29,16 +29,16 @@ class MultiCheckboxField(SelectMultipleField):
widget = widgets.ListWidget(prefix_label=False)
option_widget = widgets.CheckboxInput()
class LoginForm(Form):
class LoginForm(FlaskForm):
username = TextField('Username', [validators.Required()])
password = PasswordField('Password', [validators.Required()])
class ContactEmailSettingsForm(Form):
class ContactEmailSettingsForm(FlaskForm):
local = BooleanField("")
ldap = BooleanField("")
custom = TextField("Custom address:")
class LDAPSyncForm(Form):
class LDAPSyncForm(FlaskForm):
fatty_to_add = MultiCheckboxField("Fatty to add", choices=[])
fatty_to_remove = MultiCheckboxField("Fatty to remove", choices=[])
starving_to_add = MultiCheckboxField("Starving to add", choices=[])

1
web/webapp/templates/admin_ldap_sync.html
View File

@ -7,6 +7,7 @@
<h2>No sync required - groups are up to date.</h2>
{% else %}
<form method="post" action="/admin/ldapsync">
{{ form.hidden_tag() }}
<div class="col-md-12">
<input type="submit" value="Sync" />
</div>

13
web/webapp/templates/login.html
View File

@ -2,12 +2,13 @@
{% block title %}Sign in{% endblock %}
{% block content %}
<div class="container">
<form class="form-signin" method="post" action="/login">
<label for="inputEmail" class="sr-only">Username</label>
<input type="text" id="username" class="form-control" name="username" placeholder="Username" required autofocus>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" id="password" class="form-control" name="password" placeholder="Password" required>
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
<form class="form-signin" method="post" action="/login">
{{ form.hidden_tag() }}
<label for="inputEmail" class="sr-only">Username</label>
<input type="text" id="username" class="form-control" name="username" placeholder="Username" required autofocus>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" id="password" class="form-control" name="password" placeholder="Password" required>
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
</form>
</div>
{% endblock %}