Add csrf token to registration forms

This commit is contained in:
wookey 2013-07-02 17:26:35 +01:00
parent 97c7a2fd87
commit 0dfbd1c84f
3 changed files with 16 additions and 10 deletions

View File

@ -7,6 +7,7 @@ from django.contrib.auth import authenticate
from django.conf import settings from django.conf import settings
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.core.context_processors import csrf
from django.http import HttpResponseRedirect from django.http import HttpResponseRedirect
from django.shortcuts import render_to_response from django.shortcuts import render_to_response
from django.template import RequestContext from django.template import RequestContext
@ -64,6 +65,10 @@ def activate(request, activation_key,
""" """
# Generate CSRF token
c = {}
c.update(csrf(request))
activation_key = activation_key.lower() # Normalize before trying anything with it. activation_key = activation_key.lower() # Normalize before trying anything with it.
account = RegistrationProfile.objects.activate_user(activation_key) account = RegistrationProfile.objects.activate_user(activation_key)
@ -76,9 +81,10 @@ def activate(request, activation_key,
context = RequestContext(request) context = RequestContext(request)
for key, value in extra_context.items(): for key, value in extra_context.items():
context[key] = callable(value) and value() or value context[key] = callable(value) and value() or value
# merge local settings dict with csrf token dict and render. (could use render()from django 1.34 onwards)
return render_to_response(template_name, return render_to_response(template_name,
{ 'account': account, c.update({ 'account': account,
'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS, 'settings':settings}, 'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS, 'settings':settings, }),
context_instance=context) context_instance=context)
@ -140,6 +146,10 @@ def register(request, success_url=None,
argument. argument.
""" """
# Generate CSRF token
c = {}
c.update(csrf(request))
if request.method == 'POST': if request.method == 'POST':
form = form_class(data=request.POST, files=request.FILES) form = form_class(data=request.POST, files=request.FILES)
if form.is_valid(): if form.is_valid():
@ -158,6 +168,7 @@ def register(request, success_url=None,
context = RequestContext(request) context = RequestContext(request)
for key, value in extra_context.items(): for key, value in extra_context.items():
context[key] = callable(value) and value() or value context[key] = callable(value) and value() or value
# merge local settings dict with csrf token dict and render. (could use render()from django 1.34 onwards)
return render_to_response(template_name, return render_to_response(template_name,
{ 'form': form,'settings':settings }, c.update({ 'form': form,'settings':settings }),
context_instance=context) context_instance=context)

View File

@ -61,17 +61,12 @@ TEMPLATE_CONTEXT_PROCESSORS = ( "django.core.context_processors.auth", "core.con
LOGIN_REDIRECT_URL = '/' LOGIN_REDIRECT_URL = '/'
if django.VERSION[0] >=1 and django.VERSION[1] > 1:
csrfmiddleware = 'django.middleware.csrf.CsrfViewMiddleware'
else:
csrfmiddleware = 'django.contrib.csrf.middleware.CsrfMiddleware'
MIDDLEWARE_CLASSES = ( MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware', 'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.redirects.middleware.RedirectFallbackMiddleware', 'django.contrib.redirects.middleware.RedirectFallbackMiddleware',
csrfmiddleware, 'django.middleware.csrf.CsrfViewMiddleware',
'troggle.middleware.SmartAppendSlashMiddleware' 'troggle.middleware.SmartAppendSlashMiddleware'
) )

View File

@ -9,7 +9,7 @@ registration_form.html | {{ block.super }}
{% endblock %} {% endblock %}
{% block content %} {% block content %}
<form action="{% url registration_register %}" method="POST"> <form action="{% url registration_register %}" method="POST">{% csrf_token %}
{% for error in form.non_field_errors %} {% for error in form.non_field_errors %}
<span style="color:red">{{ error }}</span> <span style="color:red">{{ error }}</span>
{% endfor %} {% endfor %}