From b29fa7522613f09ebc2762129dd4ca25f546ee7d Mon Sep 17 00:00:00 2001 From: Yusur Princeps Date: Fri, 19 Dec 2025 11:10:32 +0100 Subject: [PATCH] add csrf_token to JavaScript actions --- CHANGELOG.md | 2 ++ src/coriplus/__init__.py | 2 +- src/coriplus/ajax.py | 5 +++-- src/coriplus/static/lib.js | 12 ++++++++++-- src/coriplus/templates/base.html | 1 + 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6bf0e72..cfb7a8a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,11 +3,13 @@ ## 0.10.0 + Codebase refactor (with breaking changes!) + Dropped support for Python<=3.9 ++ Switched database to PostgreSQL + Move ALL config to .env (config.py is NO MORE supported) + Config SITE_NAME replaced with APP_NAME + Add CSRF token and flask_WTF + Schema changes: biography and website moved to `User`; `UserProfile` table deprecated (and useless fields removed) + Posts can now be permanently deleted ++ Miscellaneous style changes ## 0.9.0 diff --git a/src/coriplus/__init__.py b/src/coriplus/__init__.py index 305ea7b..09cecf6 100644 --- a/src/coriplus/__init__.py +++ b/src/coriplus/__init__.py @@ -24,7 +24,7 @@ from flask_wtf import CSRFProtect import dotenv import logging -__version__ = '0.10.0-dev47' +__version__ = '0.10.0-dev50' # we want to support Python 3.10+ only. # Python 2 has too many caveats. diff --git a/src/coriplus/ajax.py b/src/coriplus/ajax.py index d2c0be3..cad9c74 100644 --- a/src/coriplus/ajax.py +++ b/src/coriplus/ajax.py @@ -5,8 +5,9 @@ Warning: this is not the public API. ''' from flask import Blueprint, jsonify +from flask_login import current_user from .models import User, Message, MessageUpvote -from .utils import locations, get_current_user, is_username +from .utils import locations, is_username import datetime bp = Blueprint('ajax', __name__, url_prefix='/ajax') @@ -39,7 +40,7 @@ def location_search(name): @bp.route('/score//toggle', methods=['POST']) def score_toggle(id): - user = get_current_user() + user = current_user message = Message[id] upvoted_by_self = (MessageUpvote .select() diff --git a/src/coriplus/static/lib.js b/src/coriplus/static/lib.js index cc78bea..11a2316 100644 --- a/src/coriplus/static/lib.js +++ b/src/coriplus/static/lib.js @@ -99,12 +99,20 @@ function showHideMessageOptions(id){ } } +function getCsrfToken () { + var csrf_token = document.querySelector('meta[name="csrf_token"]'); + return csrf_token?.getAttribute('content'); +} + function toggleUpvote(id){ var msgElem = document.getElementById(id); - var upvoteLink = msgElem.getElementsByClassName('message-upvote')[0]; + //var upvoteLink = msgElem.getElementsByClassName('message-upvote')[0]; var scoreCounter = msgElem.getElementsByClassName('message-score')[0]; + var body = "csrf_token=" + getCsrfToken(); var xhr = new XMLHttpRequest(); xhr.open("POST", "/ajax/score/" + id + "/toggle", true); + xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); + // TODO add csrf token somewhere xhr.onreadystatechange = function(){ if(xhr.readyState == XMLHttpRequest.DONE){ if(xhr.status == 200){ @@ -114,5 +122,5 @@ function toggleUpvote(id){ } } }; - xhr.send(); + xhr.send(body); } diff --git a/src/coriplus/templates/base.html b/src/coriplus/templates/base.html index 415711b..60667ea 100644 --- a/src/coriplus/templates/base.html +++ b/src/coriplus/templates/base.html @@ -6,6 +6,7 @@ +