2
0
mirror of https://expo.survex.com/repositories/troggle/.git synced 2024-11-26 09:11:54 +00:00

attempting to enable csrf cookie robustly

This commit is contained in:
Philip Sargent 2021-03-26 17:33:58 +00:00
parent f5e799d632
commit 1c7e99e91b
6 changed files with 32 additions and 43 deletions

View File

@ -128,11 +128,11 @@ INSTALLED_APPS = (
) )
MIDDLEWARE_CLASSES = ( MIDDLEWARE_CLASSES = (
'django.middleware.csrf.CsrfViewMiddleware', # Cross Site Request Forgeries by adding hidden form fields to POST
'django.middleware.security.SecurityMiddleware', # SECURE_SSL_REDIRECT and SECURE_SSL_HOST 'django.middleware.security.SecurityMiddleware', # SECURE_SSL_REDIRECT and SECURE_SSL_HOST
'django.contrib.sessions.middleware.SessionMiddleware', # Manages sessions across requests 'django.contrib.sessions.middleware.SessionMiddleware', # Manages sessions across requests
'django.middleware.common.CommonMiddleware', # DISALLOWED_USER_AGENTS, APPEND_SLASH and PREPEND_WWW 'django.middleware.common.CommonMiddleware', # DISALLOWED_USER_AGENTS, APPEND_SLASH and PREPEND_WWW
'django.middleware.csrf.CsrfViewMiddleware', # Cross Site Request Forgeries by adding hidden form fields to POST 'django.contrib.auth.middleware.AuthenticationMiddleware', # Adds the user attribute, representing the currently-logged-in user
'django.contrib.auth.middleware.AuthenticationMiddleware', # Adds the user attribute, representing the currently-logged-in user, to every incoming HttpRequest
'django.contrib.admindocs.middleware.XViewMiddleware', 'django.contrib.admindocs.middleware.XViewMiddleware',
'django.contrib.messages.middleware.MessageMiddleware', # Cookie-based and session-based message support 'django.contrib.messages.middleware.MessageMiddleware', # Cookie-based and session-based message support
'django.middleware.clickjacking.XFrameOptionsMiddleware', # clickjacking protection via the X-Frame-Options header 'django.middleware.clickjacking.XFrameOptionsMiddleware', # clickjacking protection via the X-Frame-Options header

View File

@ -23,7 +23,7 @@
You are logged in as {{ user.username }} You are logged in as {{ user.username }}
{% if user.person %}(<a href="{{ user.person.get_absolute_url }}">{{ user.person }}</a>) {% if user.person %}(<a href="{{ user.person.get_absolute_url }}">{{ user.person }}</a>)
{% endif %}. {% endif %}.
| <a href="{% url "auth_logout" %}">Log out</a> {% else %} <a href="{% url "registration_register" %}">Sign up</a> | <a href="{% url "auth_login" %}">Log in</a> {% endif %} | <a href="{% url "auth_logout" %}">Log out</a> {% else %} <a href='{% url "registration_register" %}'>Sign up</a> | <a href='{% url "auth_login" %}'>Log in</a> {% endif %}
{% endblock%} {% endblock%}
{% block editLink %} {% block editLink %}
@ -40,15 +40,10 @@
<a href="{% url "survexcavessingle" "204" %}">Surveys-204</a> | <a href="{% url "survexcavessingle" "204" %}">Surveys-204</a> |
<a href="{% url "expedition" 2018 %}">Expo2018</a> | <a href="{% url "expedition" 2018 %}">Expo2018</a> |
<a href="{% url "expedition" 2019 %}">Expo2019</a> | <a href="{% url "expedition" 2019 %}">Expo2019</a> |
<br> <br>
<a id="cuccLink" href="https://camcaving.uk">cucc server</a> | <a id="cuccLink" href="https://camcaving.uk">cucc server</a> |
<a id="expoWebsiteLink" href="http://expo.survex.com">expo server</a> | <a id="expoWebsiteLink" href="http://expo.survex.com">expo server</a> |
<a href="{% url "frontpage" %}">tasks to do </a> | <a href="{% url "frontpage" %}">tasks to do </a> |
<a id="cavesLink" href="{% url "caveindex" %}">caves</a> | <a id="cavesLink" href="{% url "caveindex" %}">caves</a> |
<a id="caversLink" href="{% url "personindex" %}">people</a> | <a id="caversLink" href="{% url "personindex" %}">people</a> |
@ -59,14 +54,11 @@
</div> </div>
<div id="nav"> <div id="nav">
{% block nav %} {% block nav %}
<!-- Use id="nav" for the left side menu --> <!-- Use id="nav" for the left side menu -->
{% endblock %} {% endblock %}
</div> </div>
<div id="content" > <div id="content" >
{% block contentheader %} {% block contentheader %}
@ -80,15 +72,11 @@
</script> </script>
{% endblock %} {% endblock %}
</div> </div>
{% block content %} {% block content %}
REPLACE : The content REPLACE : The content
{% endblock %} {% endblock %}
</div> </div>
<div class="footer"> <div class="footer">
</div> </div>
</body> </body>
</html> </html>

View File

@ -9,7 +9,7 @@
{% autoescape off %} {% autoescape off %}
<h1>Surveys for <a href="/{{cave.url}}">{{cave.official_name}}</a> - kataster:{{cave}}</h1> <h1>Surveys for <a href="/{{cave.url}}">{{cave.official_name}}</a> - kataster:{{cave}}</h1>
{% endautoescape %} {% endautoescape %}
<!-- the only thing passed into this temnplate is the object identifier for a cave. <!-- the only thing passed into this temnlate is the object identifier for a cave.
All the processing to extract the survex subdriectories and survex files is done in this template --> All the processing to extract the survex subdriectories and survex files is done in this template -->
<p>Cave description: <a href="/{{cave.url}}">{{cave.url}}</a> <p>Cave description: <a href="/{{cave.url}}">{{cave.url}}</a>

View File

@ -1,13 +1,14 @@
{% extends "base.html" %} {% extends "base.html" %}
{% load survex_markup %} {% load survex_markup %} <!-- this is core/templatetags/survex_markup.py for syntax colouring -->
{% block title %}{{ title }}{% endblock %} {% block title %}{{ title }}{% endblock %}
{% block head %} {% block head %}
<script type="text/javascript" src="{{settings.MEDIA_URL }}js/base.js"></script> <script type="text/javascript" src="{{settings.MEDIA_URL }}js/base.js"></script>
<script type="text/javascript" src="{{settings.JSLIB_URL}}jquery-form/jquery.form.min.js"></script> <!-- INVALID--> <!-- <script type="text/javascript" src="{{settings.JSLIB_URL}}jquery-form/jquery.form.min.js"></script> <!-- INVALID-->
<script type="text/javascript" src="{{settings.JSLIB_URL}}codemirror/codemirror.min.js"></script> <!-- INVALID--> <!-- <script type="text/javascript" src="{{settings.JSLIB_URL}}codemirror/codemirror.min.js"></script> <!-- INVALID-->
<!-- Not in use and not needed for simple text editor jquery
<script type="text/javascript"> <script type="text/javascript">
var codeeditor; var codeeditor;
$(document).ready(function() $(document).ready(function()
@ -33,16 +34,17 @@ $(document).ready(function()
}); });
</script> </script>
-->
{% endblock %} {% endblock %}
{% block content %} {% block content %}
<h1>Survex File: {{ title }}</h1> <h1>Survex File: {{ title }}</h1>
{% if svxincludes %} {% if svxincludes %}
<p><b>Included files:</b> <p><b>Included files:</b>
{% for svxinclude in svxincludes %} {% for svxinclude in svxincludes %}
<a href="{{svxinclude}}.svx">{{svxinclude}}</a> <a href="{{svxinclude}}.svx">{{svxinclude}}</a>
{% endfor %} {% endfor %}
</p> </p>
{% endif %} {% endif %}
@ -61,15 +63,15 @@ $(document).ready(function()
</pre> </pre>
{% if logmessage %} {% if logmessage %}
{% if has_3d %} {% if has_3d %}
<p><a href="{% url "threed" title %}">3d file</a></p> <p><a href='{% url "threed" title %}'>3d file</a></p>
{% else %} {% else %}
<p><b>No 3d file</b></p> <p><b>No 3d file</b></p>
{% endif %} {% endif %}
<pre> <pre>
LOGMESSAGES LOGMESSAGES
{{logmessage}} {{logmessage}}
</pre> </pre>
{% endif %} {% endif %}
</div> </div>

View File

@ -5,14 +5,14 @@
</pre> </pre>
{% if logmessage %} {% if logmessage %}
{% if has_3d %} {% if has_3d %}
<p><a href="{% url "threed" title %}">3d file</a></p> <p><a href='{% url "threed" title %}'>3d file</a></p>
{% else %} {% else %}
<p><b>No 3d file</b></p> <p><b>No 3d file</b></p>
{% endif %} {% endif %}
<pre> <pre>
LOGMESSAGES LOGMESSAGES
{{logmessage}} {{logmessage}}
</pre> </pre>
{% endif %} {% endif %}

View File

@ -115,9 +115,8 @@ actualurlpatterns = [
url(r'^survexfile/(?P<survex_file>.*?)\.log$', views_survex.svxraw), url(r'^survexfile/(?P<survex_file>.*?)\.log$', views_survex.svxraw),
url(r'^survexfile/(?P<survex_file>.*?)\.err$', views_survex.err), url(r'^survexfile/(?P<survex_file>.*?)\.err$', views_survex.err),
url(r'^survexfile/caves/$', views_survex.survexcaveslist, name="survexcaveslist"), url(r'^survexfile/caves/$', views_survex.survexcaveslist, name="survexcaveslist"),
url(r'^survexfile/(?P<survex_cave>.*)$', views_survex.survexcavesingle, name="survexcavessingle"), url(r'^survexfile/(?P<survex_cave>.*)$', views_survex.survexcavesingle, name="survexcavessingle"),
url(r'^survexfileraw/(?P<survex_file>.*?)\.svx$', views_survex.svxraw, name="svxraw"),
# url(r'^survey_files/download/(?P<path>.*)$', view_surveys.download), # needs rewriting # url(r'^survey_files/download/(?P<path>.*)$', view_surveys.download), # needs rewriting