yusur/coriplus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add CSRF token

Browse source
This commit is contained in:
Yusur 2025-11-06 07:25:07 +01:00
parent be24a37f5c
commit c46dce5e3b
16 changed files with 38 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -4,6 +4,7 @@
+ Codebase refactor (with breaking changes!) + Codebase refactor (with breaking changes!)
+ Move ALL config to .env (config.py is NO MORE supported) + Move ALL config to .env (config.py is NO MORE supported)
+ Config SITE_NAME replaced with APP_NAME + Config SITE_NAME replaced with APP_NAME
+ Add CSRF token and flask_WTF
## 0.9.0 ## 0.9.0

6
genmig.sh Executable file
View file

@ -0,0 +1,6 @@
#!/usr/bin/bash
# GENERATE MIGRATIONS
source venv/bin/activate && \
source .env && \
pw_migrate create --auto --auto-source=coriplus.models --directory=src/migrations --database="$DATABASE_URL" "$@"

4
pyproject.toml
View file

@ -8,7 +8,9 @@ dependencies = [
"Python-Dotenv>=1.0.0", "Python-Dotenv>=1.0.0",
"Flask", "Flask",
"Flask-Login", "Flask-Login",
"Peewee" "Peewee",
"Flask-WTF",
"peewee-migrate"
] ]
requires-python = ">=3.10" requires-python = ">=3.10"
classifiers = [ classifiers = [

6
src/coriplus/__init__.py
View file

@ -20,6 +20,7 @@ from flask import (
send_from_directory, __version__ as flask_version) send_from_directory, __version__ as flask_version)
import os, sys import os, sys
from flask_login import LoginManager from flask_login import LoginManager
from flask_wtf import CSRFProtect
import dotenv import dotenv
import logging import logging
@ -44,6 +45,8 @@ app.secret_key = os.environ['SECRET_KEY']
login_manager = LoginManager(app) login_manager = LoginManager(app)
CSRFProtect(app)
from .models import * from .models import *
from .utils import * from .utils import *
@ -64,7 +67,10 @@ def before_request():
@app.after_request @app.after_request
def after_request(response): def after_request(response):
try:
g.db.close() g.db.close()
except Exception:
logger.error('database closed twice')
return response return response
@app.context_processor @app.context_processor

3
src/coriplus/models.py
View file

@ -13,11 +13,12 @@ The tables are:
from flask import request from flask import request
from peewee import * from peewee import *
from playhouse.db_url import connect
import os import os
# here should go `from .utils import get_current_user`, but it will cause # here should go `from .utils import get_current_user`, but it will cause
# import errors. It's instead imported at function level. # import errors. It's instead imported at function level.
database = SqliteDatabase('coriplus.sqlite') database = connect(os.environ['DATABASE_URL'])
class BaseModel(Model): class BaseModel(Model):
class Meta: class Meta:

9
src/coriplus/templates/about.html
View file

@ -3,9 +3,12 @@
{% block body %} {% block body %}
<h1>About {{ site_name }}</h1> <h1>About {{ site_name }}</h1>
<p>{{ site_name }} {{ version }} &ndash; Python {{ python_version }} &ndash; <ul>
Flask {{ flask_version }}</p> <li>{{ site_name }} {{ version }}</li>
<p>Copyright &copy; 2019 Sakuragasaki46.</p> <li> Python {{ python_version }}</li>
<li>Flask {{ flask_version }}</li>
</ul>
<p>Copyright &copy; 2019, 2025 Sakuragasaki46.</p>
<h2>License</h2> <h2>License</h2>
<p>Permission is hereby granted, free of charge, to any person obtaining <p>Permission is hereby granted, free of charge, to any person obtaining

1
src/coriplus/templates/admin_report_detail.html
View file

@ -21,6 +21,7 @@
{% include "includes/reported_message.html" %} {% include "includes/reported_message.html" %}
{% endif %} {% endif %}
<form method="POST"> <form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<input type="submit" name="take_down" value="Take down"> <input type="submit" name="take_down" value="Take down">
<input type="submit" name="discard" value="Discard"> <input type="submit" name="discard" value="Discard">
</form> </form>

2
src/coriplus/templates/base.html
View file

@ -34,7 +34,7 @@
{% block body %}{% endblock %} {% block body %}{% endblock %}
</div> </div>
<div class="footer"> <div class="footer">
<p class="copyright">&copy; 2019 Sakuragasaki46. <p class="copyright">&copy; 2019, 2025 Sakuragasaki46.
<a href="/about/">About</a> - <a href="/terms/">Terms</a> - <a href="/about/">About</a> - <a href="/terms/">Terms</a> -
<a href="/privacy/">Privacy</a> - <a href="/privacy/">Privacy</a> -
<a href="https://github.com/sakuragasaki46/coriplus">GitHub</a></p> <a href="https://github.com/sakuragasaki46/coriplus">GitHub</a></p>

1
src/coriplus/templates/change_password.html
View file

@ -4,6 +4,7 @@
<h2>Change Password</h2> <h2>Change Password</h2>
<form method="POST"> <form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<dl> <dl>
<dt>Old password:</dt> <dt>Old password:</dt>
<dd><input type="password" name="old_password"></dd> <dd><input type="password" name="old_password"></dd>

9
src/coriplus/templates/confirm_delete.html
View file

@ -3,20 +3,19 @@
{% block body %} {% block body %}
<h2>Confirm Deletion</h2> <h2>Confirm Deletion</h2>
<p>Are you sure you want to permanently delete this post? <p>Are you sure you want to <u>permanently delete</u> this post?
Neither you nor others will be able to see it; Neither you nor others will be able to see it;
you cannot recover a post after it's deleted.</p> you cannot recover a post after it's deleted.</p>
<p>If you only want to hide it from the public, <p><small>Tip: If you only want to hide it from the public,
you can <a href="/edit/{{ message.id }}">set its privacy</a> to "Only me".</p> you can <a href="/edit/{{ message.id }}">set its privacy</a> to "Only me".</small></p>
<p>Here's the content of the message for reference:</p>
<ul> <ul>
<li>{% include "includes/message.html" %}</li> <li>{% include "includes/message.html" %}</li>
</ul> </ul>
<form method="POST"> <form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<input type="submit" value="Delete"> <input type="submit" value="Delete">
</form> </form>
{% endblock %} {% endblock %}

1
src/coriplus/templates/create.html
View file

@ -2,6 +2,7 @@
{% block body %} {% block body %}
<h2>Create</h2> <h2>Create</h2>
<form action="{{ url_for('website.create') }}" method="POST" enctype="multipart/form-data"> <form action="{{ url_for('website.create') }}" method="POST" enctype="multipart/form-data">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<dl> <dl>
<dt>Message:</dt> <dt>Message:</dt>
<dd><textarea name="text" placeholder="What's happening?" class="create_text">{{ request.args['preload'] }}</textarea></dd> <dd><textarea name="text" placeholder="What's happening?" class="create_text">{{ request.args['preload'] }}</textarea></dd>

1
src/coriplus/templates/edit.html
View file

@ -2,6 +2,7 @@
{% block body %} {% block body %}
<h2>Edit</h2> <h2>Edit</h2>
<form action="{{ url_for('website.edit', id=message.id) }}" method="POST" enctype="multipart/form-data"> <form action="{{ url_for('website.edit', id=message.id) }}" method="POST" enctype="multipart/form-data">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<dl> <dl>
<dt>Message:</dt> <dt>Message:</dt>
<dd><textarea name="text" required="" class="create_text">{{ message.text }}</textarea></dd> <dd><textarea name="text" required="" class="create_text">{{ message.text }}</textarea></dd>

1
src/coriplus/templates/edit_profile.html
View file

@ -4,6 +4,7 @@
<h2>Edit Profile</h2> <h2>Edit Profile</h2>
<form method="POST"> <form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<dl> <dl>
<dt>Username:</dt> <dt>Username:</dt>
<dd><input type="text" class="username-input" name="username" required value="{{ current_user.username }}" autocomplete="off"></dd> <dd><input type="text" class="username-input" name="username" required value="{{ current_user.username }}" autocomplete="off"></dd>

1
src/coriplus/templates/login.html
View file

@ -3,6 +3,7 @@
<h2>Login</h2> <h2>Login</h2>
{% if error %}<p class=error><strong>Error:</strong> {{ error }}{% endif %} {% if error %}<p class=error><strong>Error:</strong> {{ error }}{% endif %}
<form method="POST"> <form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<dl> <dl>
<dt>Username or email: <dt>Username or email:
<dd><input type="text" name="username"> <dd><input type="text" name="username">

1
src/coriplus/templates/report_message.html
View file

@ -3,6 +3,7 @@
{% block body %} {% block body %}
{% for reason in report_reasons %} {% for reason in report_reasons %}
<form method="POST"> <form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<div class="item" onclick="submitReport({{ reason[0] }})"> <div class="item" onclick="submitReport({{ reason[0] }})">
<h2>{{ reason[1] }}</h2> <h2>{{ reason[1] }}</h2>
</div> </div>

1
src/coriplus/templates/report_user.html
View file

@ -3,6 +3,7 @@
{% block body %} {% block body %}
{% for reason in report_reasons %} {% for reason in report_reasons %}
<form method="POST"> <form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<div class="item" onclick="submitReport({{ reason[0] }})"> <div class="item" onclick="submitReport({{ reason[0] }})">
<h2>{{ reason[1] }}</h2> <h2>{{ reason[1] }}</h2>
</div> </div>