From 0dfbd1c84f13ee18451f739987f918cb5ac620ab Mon Sep 17 00:00:00 2001
From: wookey <devnull@localhost>
Date: Tue, 2 Jul 2013 17:26:35 +0100
Subject: [PATCH] Add csrf token to registration forms
---
registration/views.py | 17 ++++++++++++++---
settings.py | 7 +------
templates/registration/registration_form.html | 2 +-
3 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/registration/views.py b/registration/views.py
index 2d4373a..5df17b4 100644
--- a/registration/views.py
+++ b/registration/views.py
@@ -7,6 +7,7 @@ from django.contrib.auth import authenticate
from django.conf import settings
from django.core.urlresolvers import reverse
+from django.core.context_processors import csrf
from django.http import HttpResponseRedirect
from django.shortcuts import render_to_response
from django.template import RequestContext
@@ -64,6 +65,10 @@ def activate(request, activation_key,
"""
+ # Generate CSRF token
+ c = {}
+ c.update(csrf(request))
+
activation_key = activation_key.lower() # Normalize before trying anything with it.
account = RegistrationProfile.objects.activate_user(activation_key)
@@ -76,9 +81,10 @@ def activate(request, activation_key,
context = RequestContext(request)
for key, value in extra_context.items():
context[key] = callable(value) and value() or value
+ # merge local settings dict with csrf token dict and render. (could use render()from django 1.34 onwards)
return render_to_response(template_name,
- { 'account': account,
- 'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS, 'settings':settings},
+ c.update({ 'account': account,
+ 'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS, 'settings':settings, }),
context_instance=context)
@@ -140,6 +146,10 @@ def register(request, success_url=None,
argument.
"""
+ # Generate CSRF token
+ c = {}
+ c.update(csrf(request))
+
if request.method == 'POST':
form = form_class(data=request.POST, files=request.FILES)
if form.is_valid():
@@ -158,6 +168,7 @@ def register(request, success_url=None,
context = RequestContext(request)
for key, value in extra_context.items():
context[key] = callable(value) and value() or value
+ # merge local settings dict with csrf token dict and render. (could use render()from django 1.34 onwards)
return render_to_response(template_name,
- { 'form': form,'settings':settings },
+ c.update({ 'form': form,'settings':settings }),
context_instance=context)
diff --git a/settings.py b/settings.py
index 5e8ba64..1d2d423 100644
--- a/settings.py
+++ b/settings.py
@@ -61,17 +61,12 @@ TEMPLATE_CONTEXT_PROCESSORS = ( "django.core.context_processors.auth", "core.con
LOGIN_REDIRECT_URL = '/'
-if django.VERSION[0] >=1 and django.VERSION[1] > 1:
- csrfmiddleware = 'django.middleware.csrf.CsrfViewMiddleware'
-else:
- csrfmiddleware = 'django.contrib.csrf.middleware.CsrfMiddleware'
-
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.redirects.middleware.RedirectFallbackMiddleware',
- csrfmiddleware,
+ 'django.middleware.csrf.CsrfViewMiddleware',
'troggle.middleware.SmartAppendSlashMiddleware'
)
diff --git a/templates/registration/registration_form.html b/templates/registration/registration_form.html
index 5720a8b..6c82abe 100644
--- a/templates/registration/registration_form.html
+++ b/templates/registration/registration_form.html
@@ -9,7 +9,7 @@ registration_form.html | {{ block.super }}
{% endblock %}
{% block content %}
-<form action="{% url registration_register %}" method="POST">
+<form action="{% url registration_register %}" method="POST">{% csrf_token %}
{% for error in form.non_field_errors %}
<span style="color:red">{{ error }}</span>
{% endfor %}