from bluechips.lib.base import *
from pylons import request, app_globals as g
-from pylons.decorators.rest import dispatch_on
from pylons.decorators import validate
+from pylons.decorators.secure import authenticate_form
from pylons.controllers.util import abort
from formencode import validators, Schema
return render('/spend/index.mako')
@redirect_on_get('edit')
+ @authenticate_form
@validate(schema=ExpenditureSchema(), form='edit', variable_decode=True)
def update(self, id=None):
# Either create a new object, or, if we're editing, get the
from pylons import request, app_globals as g
from pylons.decorators import validate
+from pylons.decorators.secure import authenticate_form
from pylons.controllers.util import abort
from formencode import Schema, validators
return render('/transfer/index.mako')
@redirect_on_get('edit')
+ @authenticate_form
@validate(schema=TransferSchema(), form='edit')
def update(self, id=None):
if id is None:
from pylons import request
from pylons.decorators import validate
+from pylons.decorators.secure import authenticate_form
from formencode import validators, Schema
c.title = 'User Settings'
return render('/user/index.mako')
+ @authenticate_form
@validate(schema=EmailSchema(), form='index')
def update(self):
new_email = self.form_result['new_email']
from routes import url_for, redirect_to
from webhelpers.html import escape, literal, url_escape
from webhelpers.html.tags import *
+from webhelpers.html.secure_form import *
from webhelpers.pylonslib import Flash as _Flash
%>
<form action="${h.url_for(controller='spend', action='update', id=c.expenditure.id)}" method="post">
+ ${h.auth_token_hidden_field()}
<table class="form">
<tr>
<th><label for="spender_id">Spender</label></th>
<%inherit file="/base.mako"/>
<form action="${h.url_for(controller='transfer', action='update', id=c.transfer.id)}" method="post">
+ ${h.auth_token_hidden_field()}
<table class="form">
<tr>
<th><label for="debtor_id">From</label></th>
<p>Enter an email address below if you wish to be notified of any updates to transactions involving you. Leave blank to not receive notifications.</p>
<form action="${h.url_for(controller='user', action='update')}" method="post">
+ ${h.auth_token_hidden_field()}
<table class="form">
<tr>
<th><label for="new_email">Email</label></th>
from datetime import date
from formencode import Invalid
+from webhelpers.html.secure_form import token_key
+
from bluechips.tests import *
from bluechips import model
id=124234), status=404)
def test_update_nonexistent(self):
- response = self.app.post(url_for(controller='spend',
- action='update',
- id=14234),
- params=self.sample_post,
- status=404)
+ response = self.app.get(url_for(controller='spend',
+ action='edit'))
+ params = self.sample_post.copy()
+ params[token_key] = response.form[token_key].value
+ self.app.post(url_for(controller='spend',
+ action='update',
+ id=14234),
+ params=params,
+ status=404)
+
+ def test_xsrf_protection(self):
+ self.app.post(url_for(controller='spend',
+ action='update'),
+ params=self.sample_post,
+ status=403)
def test_all_zero_shares_fails(self):
params = self.sample_post.copy()
from datetime import date
from decimal import Decimal
-from bluechips.tests import *
+from webhelpers.html.secure_form import token_key
+
+from bluechips.tests import *
from bluechips import model
from bluechips.model import meta
id=21424), status=404)
def test_update_nonexistent(self):
- response = self.app.post(url_for(controller='transfer',
- action='update',
- id=21424),
- params=self.sample_params,
- status=404)
+ response = self.app.get(url_for(controller='transfer',
+ action='edit'))
+ params = self.sample_params.copy()
+ params[token_key] = response.form[token_key].value
+ self.app.post(url_for(controller='transfer',
+ action='update',
+ id=21424),
+ params=params,
+ status=404)
+
+ def test_xsrf_protection(self):
+ self.app.post(url_for(controller='transfer',
+ action='update'),
+ params=self.sample_params,
+ status=403)
+
def test_update_get_redirects(self):
response = self.app.get(url_for(controller='transfer',
filter_by(username=unicode(config['fake_username'])).one()
assert user.email == None
-
+ def test_xsrf_protection(self):
+ self.app.post(url_for(controller='user',
+ action='update'),
+ {'new_email': 'malicious@example.com'},
+ status=403)