xle/troggle-unchained
2
0
Fork 0
forked from expo/troggle
Code Issues 4 Pull Requests Projects 1 Wiki Activity

Add CSRF protection to registration form (and remove annoying second

Browse Source 
password)
This commit is contained in:
Wookey 2013-07-02 18:10:45 +01:00
parent ca1a1dfb97
commit ed13cca261
3 changed files with 19 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
registration/forms.py
View File

@ -15,15 +15,15 @@ from registration.models import RegistrationProfile
# on them with CSS or JavaScript if they have a class of "required" # on them with CSS or JavaScript if they have a class of "required"
# in the HTML. Your mileage may vary. If/when Django ticket #3515 # in the HTML. Your mileage may vary. If/when Django ticket #3515
# lands in trunk, this will no longer be necessary. # lands in trunk, this will no longer be necessary.
attrs_dict = { 'class': 'required' } # This was fixed in 2007, so I guess we don't need this any more. [W]
#attrs_dict = { 'class': 'required' }
class RegistrationForm(forms.Form): class RegistrationForm(forms.Form):
""" """
Form for registering a new user account. Form for registering a new user account.
Validates that the requested username is not already in use, and Validates that the requested username is not already in use.
requires the password to be entered twice to catch typos.
Subclasses should feel free to add any additional validation they Subclasses should feel free to add any additional validation they
need, but should either preserve the base ``save()`` or implement need, but should either preserve the base ``save()`` or implement
@ -39,8 +39,7 @@ class RegistrationForm(forms.Form):
label=_(u'email address')) label=_(u'email address'))
password1 = forms.CharField(widget=forms.PasswordInput(attrs=attrs_dict, render_value=False), password1 = forms.CharField(widget=forms.PasswordInput(attrs=attrs_dict, render_value=False),
label=_(u'password')) label=_(u'password'))
password2 = forms.CharField(widget=forms.PasswordInput(attrs=attrs_dict, render_value=False),
label=_(u'password (again)'))
def clean_username(self): def clean_username(self):
""" """
@ -62,9 +61,7 @@ class RegistrationForm(forms.Form):
field. field.
""" """
if 'password1' in self.cleaned_data and 'password2' in self.cleaned_data: if 'password1' in self.cleaned_data:
if self.cleaned_data['password1'] != self.cleaned_data['password2']:
raise forms.ValidationError(_(u'You must type the same password each time'))
if len(self.cleaned_data['password1']) < 6: if len(self.cleaned_data['password1']) < 6:
raise forms.ValidationError(_(u'Your password must be at least 6 characters')) raise forms.ValidationError(_(u'Your password must be at least 6 characters'))
return self.cleaned_data return self.cleaned_data

15
registration/views.py
View File

@ -11,7 +11,9 @@ from django.http import HttpResponseRedirect
from django.shortcuts import render_to_response from django.shortcuts import render_to_response
from django.template import RequestContext from django.template import RequestContext
from django.contrib.auth import login from django.contrib.auth import login
#Add CSRF protection:
from django.core.context_processors import csrf
from django.shortcuts import render_to_response
from registration.forms import RegistrationForm from registration.forms import RegistrationForm
from registration.models import RegistrationProfile from registration.models import RegistrationProfile
@ -64,6 +66,9 @@ def activate(request, activation_key,
""" """
# Generate CSRF token
c = {}
c.update(csrf(request))
activation_key = activation_key.lower() # Normalize before trying anything with it. activation_key = activation_key.lower() # Normalize before trying anything with it.
account = RegistrationProfile.objects.activate_user(activation_key) account = RegistrationProfile.objects.activate_user(activation_key)
@ -79,7 +84,7 @@ def activate(request, activation_key,
return render_to_response(template_name, return render_to_response(template_name,
{ 'account': account, { 'account': account,
'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS, 'settings':settings}, 'expiration_days': settings.ACCOUNT_ACTIVATION_DAYS, 'settings':settings},
context_instance=context) context_instance=context, c)
def register(request, success_url=None, def register(request, success_url=None,
@ -140,6 +145,10 @@ def register(request, success_url=None,
argument. argument.
""" """
# Generate CSRF token
c = {}
c.update(csrf(request))
if request.method == 'POST': if request.method == 'POST':
form = form_class(data=request.POST, files=request.FILES) form = form_class(data=request.POST, files=request.FILES)
if form.is_valid(): if form.is_valid():
@ -160,4 +169,4 @@ def register(request, success_url=None,
context[key] = callable(value) and value() or value context[key] = callable(value) and value() or value
return render_to_response(template_name, return render_to_response(template_name,
{ 'form': form,'settings':settings }, { 'form': form,'settings':settings },
context_instance=context) context_instance=context, c)

11
templates/registration/registration_form.html
View File

@ -9,7 +9,7 @@ registration_form.html | {{ block.super }}
{% endblock %} {% endblock %}
{% block content %} {% block content %}
<form action="{% url registration_register %}" method="POST"> <form action="{% url registration_register %}" method="POST">{% csrf_token %}
{% for error in form.non_field_errors %} {% for error in form.non_field_errors %}
<span style="color:red">{{ error }}</span> <span style="color:red">{{ error }}</span>
{% endfor %} {% endfor %}
@ -41,15 +41,6 @@ registration_form.html | {{ block.super }}
{% endfor %} {% endfor %}
</td> </td>
</tr> </tr>
<tr>
<td align="right" valign="top">Password (again):</td>
<td>
{{ form.password2 }} <br/>
{% for error in form.password2.errors %}
<span style="color:red">{{ error }}</span>
{% endfor %}
</td>
</tr>
<tr> <tr>
<td>&nbsp;</td> <td>&nbsp;</td>
<td><input type="submit" value="Register" /></td> <td><input type="submit" value="Register" /></td>