add CSRF token

src/coriplus/__init__.py

@@ -20,6 +20,7 @@ from flask import (
     send_from_directory, __version__ as flask_version)
 import os, sys
 from flask_login import LoginManager
+from flask_wtf import CSRFProtect
 import dotenv
 import logging
 
@@ -44,6 +45,8 @@ app.secret_key = os.environ['SECRET_KEY']
 
 login_manager = LoginManager(app)
 
+CSRFProtect(app)
+
 from .models import *
 
 from .utils import *
@@ -64,7 +67,10 @@ def before_request():
 
 @app.after_request
 def after_request(response):
-    g.db.close()
+    try:
+        g.db.close()
+    except Exception:
+        logger.error('database closed twice')
     return response
 
 @app.context_processor

src/coriplus/models.py

@@ -13,11 +13,12 @@ The tables are:
 
 from flask import request
 from peewee import *
+from playhouse.db_url import connect
 import os
 # here should go `from .utils import get_current_user`, but it will cause
 # import errors. It's instead imported at function level.
 
-database = SqliteDatabase('coriplus.sqlite')
+database = connect(os.environ['DATABASE_URL'])
 
 class BaseModel(Model):
     class Meta:

src/coriplus/templates/about.html

@@ -3,9 +3,12 @@
 {% block body %}
 <h1>About {{ site_name }}</h1>
 
-<p>{{ site_name }} {{ version }} &ndash; Python {{ python_version }} &ndash; 
-  Flask {{ flask_version }}</p>
-<p>Copyright &copy; 2019 Sakuragasaki46.</p>
+<ul>
+<li>{{ site_name }} {{ version }}</li>
+<li> Python {{ python_version }}</li>
+<li>Flask {{ flask_version }}</li>
+</ul>
+<p>Copyright &copy; 2019, 2025 Sakuragasaki46.</p>
 
 <h2>License</h2>
 <p>Permission is hereby granted, free of charge, to any person obtaining 

src/coriplus/templates/admin_report_detail.html

@@ -21,6 +21,7 @@
     {% include "includes/reported_message.html" %}
   {% endif %}
   <form method="POST">
+  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     <input type="submit" name="take_down" value="Take down">
     <input type="submit" name="discard" value="Discard">
   </form>

src/coriplus/templates/base.html

@@ -34,7 +34,7 @@
       {% block body %}{% endblock %}
     </div>
     <div class="footer">
-      <p class="copyright">&copy; 2019 Sakuragasaki46. 
+      <p class="copyright">&copy; 2019, 2025 Sakuragasaki46. 
         <a href="/about/">About</a> - <a href="/terms/">Terms</a> - 
         <a href="/privacy/">Privacy</a> - 
         <a href="https://github.com/sakuragasaki46/coriplus">GitHub</a></p>

src/coriplus/templates/change_password.html

@@ -4,6 +4,7 @@
 <h2>Change Password</h2>
 
 <form method="POST">
+<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
   <dl>
     <dt>Old password:</dt>
     <dd><input type="password" name="old_password"></dd>

src/coriplus/templates/confirm_delete.html

@@ -3,20 +3,19 @@
 {% block body %}
 <h2>Confirm Deletion</h2>
 
-<p>Are you sure you want to permanently delete this post? 
+<p>Are you sure you want to <u>permanently delete</u> this post? 
    Neither you nor others will be able to see it;
    you cannot recover a post after it's deleted.</p>
 
-<p>If you only want to hide it from the public, 
-   you can <a href="/edit/{{ message.id }}">set its privacy</a> to "Only me".</p>
-
-<p>Here's the content of the message for reference:</p>
+<p><small>Tip: If you only want to hide it from the public, 
+   you can <a href="/edit/{{ message.id }}">set its privacy</a> to "Only me".</small></p>
 
 <ul>
   <li>{% include "includes/message.html" %}</li>
 </ul>
 
 <form method="POST">
+<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
   <input type="submit" value="Delete">
 </form>
 {% endblock %}

src/coriplus/templates/create.html

@@ -2,6 +2,7 @@
 {% block body %}
   <h2>Create</h2>
   <form action="{{ url_for('website.create') }}" method="POST" enctype="multipart/form-data">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     <dl>
       <dt>Message:</dt>
       <dd><textarea name="text" placeholder="What's happening?" class="create_text">{{ request.args['preload'] }}</textarea></dd>

src/coriplus/templates/edit.html

@@ -2,6 +2,7 @@
 {% block body %}
   <h2>Edit</h2>
   <form action="{{ url_for('website.edit', id=message.id) }}" method="POST" enctype="multipart/form-data">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     <dl>
       <dt>Message:</dt>
       <dd><textarea name="text" required="" class="create_text">{{ message.text }}</textarea></dd>

src/coriplus/templates/edit_profile.html

@@ -4,6 +4,7 @@
 <h2>Edit Profile</h2>
 
 <form method="POST">
+  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
   <dl>
     <dt>Username:</dt>
     <dd><input type="text" class="username-input" name="username" required value="{{ current_user.username }}" autocomplete="off"></dd>

src/coriplus/templates/login.html

@@ -3,6 +3,7 @@
   <h2>Login</h2>
   {% if error %}<p class=error><strong>Error:</strong> {{ error }}{% endif %}
   <form method="POST">
+  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
     <dl>
       <dt>Username or email:
       <dd><input type="text" name="username">

src/coriplus/templates/report_message.html

@@ -3,6 +3,7 @@
 {% block body %}
   {% for reason in report_reasons %}
     <form method="POST">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
       <div class="item" onclick="submitReport({{ reason[0] }})">
         <h2>{{ reason[1] }}</h2>
       </div>

src/coriplus/templates/report_user.html

@@ -3,6 +3,7 @@
 {% block body %}
   {% for reason in report_reasons %}
     <form method="POST">
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
       <div class="item" onclick="submitReport({{ reason[0] }})">
         <h2>{{ reason[1] }}</h2>
       </div>