added XSRF protection to all forms and associated tests

[bluechips.git] / bluechips / controllers / transfer.py

diff --git a/bluechips/controllers/transfer.py b/bluechips/controllers/transfer.py
index 016f508df07f7d379d468db895be23454dd2ec8e..ed0601845fc58b9db6f8ad67bfd1daf1e10d0702 100644 (file)
--- a/bluechips/controllers/transfer.py
+++ b/bluechips/controllers/transfer.py
@@ -10,6 +10,8 @@ from bluechips.lib.base import *
 
 from pylons import request, app_globals as g
 from pylons.decorators import validate
+from pylons.decorators.secure import authenticate_form
+from pylons.controllers.util import abort
 
 from formencode import Schema, validators
 
@@ -42,8 +44,12 @@ class TransferController(BaseController):
         else:
             c.title = 'Edit a Transfer'
             c.transfer = meta.Session.query(model.Transfer).get(id)
+            if c.transfer is None:
+                abort(404)
         return render('/transfer/index.mako')
     
+    @redirect_on_get('edit')
+    @authenticate_form
     @validate(schema=TransferSchema(), form='edit')
     def update(self, id=None):
         if id is None:
@@ -52,6 +58,8 @@ class TransferController(BaseController):
             op = 'created'
         else:
             t = meta.Session.query(model.Transfer).get(id)
+            if t is None:
+                abort(404)
             op = 'updated'
         
         update_sar(t, self.form_result)