Improve CSRF tokens and add to more forms.

author: Matthew Somerville <matthew@mysociety.org> 2016-06-15 20:14:51 +0100
committer: Matthew Somerville <matthew-github@dracos.co.uk> 2016-07-06 12:58:57 +0100
commit: 9d8ae07980bccd58e11acbc82e60b651ed20c181 (patch)
tree: ccfa198d3ec4bc0a0d903b8c59d89efa32c3ccc7 /templates
parent: f0911da291b55801e69132a4d6f0a312089fdc18 (diff)
24 files changed, 29 insertions, 17 deletions
diff --git a/templates/web/base/admin/body-form.html b/templates/web/base/admin/body-form.html
index 7acfbfdd5..8c4956f7f 100644
--- a/templates/web/base/admin/body-form.html
+++ b/templates/web/base/admin/body-form.html
@@ -236,7 +236,7 @@
     
     <p>
     <input type="hidden" name="posted" value="body">
-    <input type="hidden" name="token" value="[% token %]">
+    <input type="hidden" name="token" value="[% csrf_token %]">
     <input type="submit" value="[% body ? loc('Update body') : loc('Add body') %]">
     </p>
     </form>
diff --git a/templates/web/base/admin/body.html b/templates/web/base/admin/body.html
index d5e575666..15802fc44 100644
--- a/templates/web/base/admin/body.html
+++ b/templates/web/base/admin/body.html
@@ -97,7 +97,7 @@
 
   <p>
     <input type="hidden" name="posted" value="update">
-    <input type="hidden" name="token" value="[% token %]">
+    <input type="hidden" name="token" value="[% csrf_token %]">
     <input type="submit" name="Update statuses" value="[% loc('Update statuses') %]">
   </p>
 </form>
@@ -202,7 +202,7 @@
 
     <p>
       <input type="hidden" name="posted" value="new" >
-      <input type="hidden" name="token" value="[% token %]" >
+      <input type="hidden" name="token" value="[% csrf_token %]" >
       <input type="submit" name="Create category" value="[% errors ? loc('Save changes') : loc('Create category') %]" >
     </p>
 
diff --git a/templates/web/base/admin/category_edit.html b/templates/web/base/admin/category_edit.html
index c0bd43ef5..6537fe028 100644
--- a/templates/web/base/admin/category_edit.html
+++ b/templates/web/base/admin/category_edit.html
@@ -22,7 +22,7 @@
 <form method="post" action="[% c.uri_for('body', body_id ) %]" enctype="application/x-www-form-urlencoded" accept-charset="utf-8">
     <p><strong>[% loc('Category:') %] </strong>[% contact.category | html %]
     <input type="hidden" name="category" value="[% contact.category | html %]" >
-    <input type="hidden" name="token" value="[% token %]" >
+    <input type="hidden" name="token" value="[% csrf_token %]" >
   [% IF contact.extra %]
     <p><strong>[% loc('Extra data:') %] </strong>
     [% USE Dumper %]
diff --git a/templates/web/base/admin/report_edit.html b/templates/web/base/admin/report_edit.html
index c0cdead84..065c6c2ce 100644
--- a/templates/web/base/admin/report_edit.html
+++ b/templates/web/base/admin/report_edit.html
@@ -4,7 +4,7 @@
 [% status_message %]
 
 <form method="post" action="[% c.uri_for( 'report_edit', problem.id ) %]" enctype="application/x-www-form-urlencoded" accept-charset="utf-8">
-    <input type="hidden" name="token" value="[% token %]" >
+    <input type="hidden" name="token" value="[% csrf_token %]" >
     <input type="hidden" name="submit" value="1" >
 <ul>
     [%- cobrand_data = problem.cobrand_data;
diff --git a/templates/web/base/admin/update_edit.html b/templates/web/base/admin/update_edit.html
index a956bb2cb..06bee6010 100644
--- a/templates/web/base/admin/update_edit.html
+++ b/templates/web/base/admin/update_edit.html
@@ -4,7 +4,7 @@
 [% status_message %]
 
 <form method="post" action="[% c.uri_for( 'update_edit', update.id ) %]" enctype="application/x-www-form-urlencoded" accept-charset="utf-8">
-    <input type="hidden" name="token" value="[% token %]" >
+    <input type="hidden" name="token" value="[% csrf_token %]" >
     <input type="hidden" name="submit" value="1" >
 <ul>
     [%- cobrand_data = update.cobrand_data;
diff --git a/templates/web/base/admin/user-form.html b/templates/web/base/admin/user-form.html
index 3956e8533..b863bf96a 100644
--- a/templates/web/base/admin/user-form.html
+++ b/templates/web/base/admin/user-form.html
@@ -1,5 +1,5 @@
 <form method="post" action="[% c.uri_for( 'user_edit', user.id ) %]" enctype="application/x-www-form-urlencoded" accept-charset="utf-8">
-    <input type="hidden" name="token" value="[% token %]" >
+    <input type="hidden" name="token" value="[% csrf_token %]" >
     <input type="hidden" name="submit" value="1" >
 
     [% IF c.cobrand.moniker == 'zurich' AND field_errors.email %]
diff --git a/templates/web/base/alert/_list.html b/templates/web/base/alert/_list.html
index 395948248..65bba2fed 100644
--- a/templates/web/base/alert/_list.html
+++ b/templates/web/base/alert/_list.html
@@ -1,3 +1,4 @@
+  <input type="hidden" name="token" value="[% csrf_token %]">
   <input type="hidden" name="type" value="local">
   <input type="hidden" name="pc" value="[% pc | html %]">
   <input type="hidden" name="latitude" value="[% latitude | html %]">
diff --git a/templates/web/base/alert/updates.html b/templates/web/base/alert/updates.html
index 104bfa55a..ecaed37ca 100644
--- a/templates/web/base/alert/updates.html
+++ b/templates/web/base/alert/updates.html
@@ -23,6 +23,7 @@
             <input class="green-btn" type="submit" value="[% loc('Subscribe') %]">
         </div>
 
+        <input type="hidden" name="token" value="[% csrf_token %]">
         <input type="hidden" name="id" value="[% problem_id | html %]">
         <input type="hidden" name="type" value="updates">
     </fieldset>
diff --git a/templates/web/base/around/display_location.html b/templates/web/base/around/display_location.html
index 7bf62e528..7c54f4b76 100755
--- a/templates/web/base/around/display_location.html
+++ b/templates/web/base/around/display_location.html
@@ -40,6 +40,7 @@
 
 [% IF allow_creation %]
 <form action="[% c.uri_for('/report/new') %]" method="post" name="mapForm" id="mapForm" enctype="multipart/form-data" class="validate" novalidate>
+    <input type="hidden" name="token" value="[% csrf_token %]">
     [% IF c.req.params.map_override %]
         <input type="hidden" name="map_override" value="[% c.req.params.map_override | html %]">
     [% END %]
diff --git a/templates/web/base/auth/change_password.html b/templates/web/base/auth/change_password.html
index b4170c23e..be0dc69b4 100644
--- a/templates/web/base/auth/change_password.html
+++ b/templates/web/base/auth/change_password.html
@@ -3,11 +3,12 @@
 <h1>[% loc('Change password') %]</h1>
 
 [% IF password_changed %]
-    <p id="fixed">[% loc('Your password has been changed') %]</p>
+    <p class="form-success">[% loc('Your password has been changed') %]</p>
 [% END %]
 
 
 <form action="[% c.uri_for('change_password') %]" method="post" name="change_password" class="fieldset">
+    <input type="hidden" name="token" value="[% csrf_token %]">
     
     [% IF password_error;
 
diff --git a/templates/web/base/report/_main.html b/templates/web/base/report/_main.html
index aaa167108..4821b3fa0 100644
--- a/templates/web/base/report/_main.html
+++ b/templates/web/base/report/_main.html
@@ -5,6 +5,7 @@
   [% IF moderating %]
     [% original = problem_original %]
     <form method="post" action="/moderate/report/[% problem.id %]">
+        <input type="hidden" name="token" value="[% csrf_token %]">
         <p class="moderate-display">
             <input type="button" class="btn moderate" value="moderate">
         </p>
diff --git a/templates/web/base/report/display_tools.html b/templates/web/base/report/display_tools.html
index c1413d9c7..58e450c84 100644
--- a/templates/web/base/report/display_tools.html
+++ b/templates/web/base/report/display_tools.html
@@ -2,6 +2,7 @@
     <ul id="key-tools">
         [% IF c.user_exists AND c.cobrand.users_can_hide AND c.user.belongs_to_body( c.cobrand.council_id ) %]
         <li><form method="post" action="/report/delete/[% problem.id %]" id="remove-from-site-form">
+            <input type="hidden" name="token" value="[% csrf_token %]">
             <input type="submit" id="key-tool-report-abuse" class="abuse" value="Remove from site">
         </form></li>
         [% ELSIF c.cobrand.moniker != 'zurich' %]
@@ -40,6 +41,7 @@
             <input type="email" name="rznvy" id="alert_rznvy" value="[% email | html %]" size="30" placeholder="[% loc('Your email') %]">
             <input class="green-btn" type="submit" value="[% loc('Subscribe') %]">
         </div>
+        <input type="hidden" name="token" value="[% csrf_token %]">
         <input type="hidden" name="id" value="[% problem.id %]">
         <input type="hidden" name="type" value="updates">
         </fieldset>
diff --git a/templates/web/base/report/new/fill_in_details.html b/templates/web/base/report/new/fill_in_details.html
index 55b3a5207..d7e2f1d3a 100644
--- a/templates/web/base/report/new/fill_in_details.html
+++ b/templates/web/base/report/new/fill_in_details.html
@@ -12,16 +12,15 @@
         <input type="hidden" name="map_override" value="[% c.req.params.map_override | html %]">
     [% END %]
 
-    <input type="hidden" name="pc" value="[% pc | html %]">
-
 [% ELSE %]
 
 <form action="[% c.uri_for('/report/new') %]" method="post" name="mapSkippedForm"[% IF c.cobrand.allow_photo_upload %] enctype="multipart/form-data"[% END %] class="validate">
-    <input type="hidden" name="pc" value="[% pc | html %]">
     <input type="hidden" name="skipped" value="1">
 
 [% END %]
 
+    <input type="hidden" name="token" value="[% csrf_token %]">
+    <input type="hidden" name="pc" value="[% pc | html %]">
     <input type="hidden" name="latitude" id="fixmystreet.latitude" value="[% latitude | html %]">
     <input type="hidden" name="longitude" id="fixmystreet.longitude" value="[% longitude | html %]">
 
diff --git a/templates/web/base/report/update-form.html b/templates/web/base/report/update-form.html
index f6ce265bf..97e0df779 100644
--- a/templates/web/base/report/update-form.html
+++ b/templates/web/base/report/update-form.html
@@ -15,6 +15,7 @@
     [% INCLUDE 'errors.html' %]
 
     <form method="post" action="[% c.uri_for( '/report/update' ) %]" id="form_update_form" name="updateForm" class="validate"[% IF c.cobrand.allow_photo_upload %] enctype="multipart/form-data"[% END %]>
+        <input type="hidden" name="token" value="[% csrf_token %]">
         <fieldset>
           [% IF NOT login_success AND NOT oauth_need_email %]
             [% INCLUDE 'report/update/form_update.html' %]
diff --git a/templates/web/base/report/update.html b/templates/web/base/report/update.html
index a09913d39..aaad33b7a 100644
--- a/templates/web/base/report/update.html
+++ b/templates/web/base/report/update.html
@@ -8,6 +8,7 @@
         <li class="item-list__item item-list__item--updates">
           [% IF moderating; original_update = update.moderation_original_data %]
             <form method="post" action="/moderate/report/[% problem.id %]/update/[% update.id %]">
+                <input type="hidden" name="token" value="[% csrf_token %]">
                 <input type="button" class="btn moderate moderate-display" value="moderate">
                 <div class="moderate-edit">
                     <input type="checkbox" class="hide-document" name="update_hide">
diff --git a/templates/web/bromley/report/display.html b/templates/web/bromley/report/display.html
index da83e005f..27e1e64a9 100644
--- a/templates/web/bromley/report/display.html
+++ b/templates/web/bromley/report/display.html
@@ -56,6 +56,7 @@
     [% INCLUDE 'errors.html' %]
 
     <form method="post" action="[% c.uri_for( '/report/update' ) %]" name="updateForm" class="validate"[% IF c.cobrand.allow_photo_upload %] enctype="multipart/form-data"[% END %]>
+        <input type="hidden" name="token" value="[% csrf_token %]">
         <fieldset>
             <input type="hidden" name="submit_update" value="1">
             <input type="hidden" name="id" value="[% problem.id | html %]">
diff --git a/templates/web/eastsussex/report/update-form.html b/templates/web/eastsussex/report/update-form.html
index e4fb47a45..b2c67890f 100644
--- a/templates/web/eastsussex/report/update-form.html
+++ b/templates/web/eastsussex/report/update-form.html
@@ -24,6 +24,7 @@
     </p>
 
     <form method="post" action="/report/new">
+        <input type="hidden" name="token" value="[% csrf_token %]">
         <input type="hidden" name="latitude" value="[% problem.latitude %]">
         <input type="hidden" name="longitude" value="[% problem.longitude %]">
         <input type="submit" class="green-btn" value="CREATE A NEW PROBLEM NEARBY">
@@ -56,6 +57,7 @@
     [% INCLUDE 'errors.html' %]
 
     <form method="post" action="[% c.uri_for( '/report/update' ) %]" id="form_update_form" name="updateForm" class="validate"[% IF c.cobrand.allow_photo_upload %] enctype="multipart/form-data"[% END %]>
+        <input type="hidden" name="token" value="[% csrf_token %]">
         <fieldset>
             <input type="hidden" name="submit_update" value="1">
             <input type="hidden" name="id" value="[% problem.id | html %]">
diff --git a/templates/web/seesomething/around/display_location.html b/templates/web/seesomething/around/display_location.html
index b54311264..692ea22ee 100644
--- a/templates/web/seesomething/around/display_location.html
+++ b/templates/web/seesomething/around/display_location.html
@@ -20,6 +20,7 @@
 %]
 
 <form action="[% c.uri_for('/report/new') %]" method="post" name="mapForm" id="mapForm" enctype="multipart/form-data" class="validate" novalidate>
+    <input type="hidden" name="token" value="[% csrf_token %]">
     [% IF c.req.params.map_override %]
         <input type="hidden" name="map_override" value="[% c.req.params.map_override | html %]">
     [% END %]
diff --git a/templates/web/zurich/admin/body-form.html b/templates/web/zurich/admin/body-form.html
index ac2887159..966bdf799 100644
--- a/templates/web/zurich/admin/body-form.html
+++ b/templates/web/zurich/admin/body-form.html
@@ -47,7 +47,7 @@
 
     <p>
     <input type="hidden" name="posted" value="body">
-    <input type="hidden" name="token" value="[% token %]">
+    <input type="hidden" name="token" value="[% csrf_token %]">
     <p>
     <input type="submit" value="[% body ? loc('Update body') : loc('Add body') %]">
     </p>
diff --git a/templates/web/zurich/admin/body.html b/templates/web/zurich/admin/body.html
index 771f1e537..1a156773d 100644
--- a/templates/web/zurich/admin/body.html
+++ b/templates/web/zurich/admin/body.html
@@ -55,7 +55,7 @@
 
         <p>
         <input type="hidden" name="posted" value="new" >
-        <input type="hidden" name="token" value="[% token %]" >
+        <input type="hidden" name="token" value="[% csrf_token %]" >
         <input type="submit" name="Create category" value="[% errors ? loc('Save changes') : loc('Create category') %]">
         </p>
 
diff --git a/templates/web/zurich/admin/report_edit-sdm.html b/templates/web/zurich/admin/report_edit-sdm.html
index 63c6b5e6f..e7602b659 100644
--- a/templates/web/zurich/admin/report_edit-sdm.html
+++ b/templates/web/zurich/admin/report_edit-sdm.html
@@ -11,7 +11,7 @@
 </div>
 
 <form method="post" action="[% c.uri_for( 'report_edit', problem.id ) %]" enctype="application/x-www-form-urlencoded" accept-charset="utf-8">
-    <input type="hidden" name="token" value="[% token %]" >
+    <input type="hidden" name="token" value="[% csrf_token %]" >
     <input type="hidden" name="submit" value="1" >
 
 <div class="admin-report-edit admin-report-edit--details">
diff --git a/templates/web/zurich/admin/report_edit.html b/templates/web/zurich/admin/report_edit.html
index dd876935c..f1ee7a846 100644
--- a/templates/web/zurich/admin/report_edit.html
+++ b/templates/web/zurich/admin/report_edit.html
@@ -13,7 +13,7 @@
 [% pstate = problem.get_extra_metadata('closure_status') || problem.state %]
 
 <form id="report_edit" method="post" action="[% c.uri_for( 'report_edit', problem.id ) %]" enctype="application/x-www-form-urlencoded" accept-charset="utf-8">
-    <input type="hidden" name="token" value="[% token %]" >
+    <input type="hidden" name="token" value="[% csrf_token %]" >
     <input type="hidden" name="submit" value="1" >
 
 <div class="admin-report-edit admin-report-edit--details">
diff --git a/templates/web/zurich/admin/template_edit.html b/templates/web/zurich/admin/template_edit.html
index 1deda6a77..dbad55f08 100644
--- a/templates/web/zurich/admin/template_edit.html
+++ b/templates/web/zurich/admin/template_edit.html
@@ -25,7 +25,7 @@
         <textarea name="text" class="required">[% rt.text |html %]</textarea> 
     </p>
     <p>
-    <input type="hidden" name="token" value="[% token %]" >
+    <input type="hidden" name="token" value="[% csrf_token %]" >
     <input type="submit" name="Edit templates" value="[% rt.id ? loc('Save changes') : loc('Create template') %]" >
     </p>
     [% IF rt.id %]
diff --git a/templates/web/zurich/admin/update_edit.html b/templates/web/zurich/admin/update_edit.html
index fbd96f3a5..adafff3a8 100644
--- a/templates/web/zurich/admin/update_edit.html
+++ b/templates/web/zurich/admin/update_edit.html
@@ -4,7 +4,7 @@
 [% status_message %]
 
 <form method="post" action="[% c.uri_for( 'update_edit', update.id ) %]" enctype="application/x-www-form-urlencoded" accept-charset="utf-8">
-    <input type="hidden" name="token" value="[% token %]" >
+    <input type="hidden" name="token" value="[% csrf_token %]" >
     <input type="hidden" name="submit" value="1" >
 <ul>
 <li><a href="[% c.uri_for_email( '/report', update.problem_id ) %]#update_[% update.id %]">[% loc('View report on site' )%]</a></li>
author	Matthew Somerville <matthew@mysociety.org>	2016-06-15 20:14:51 +0100
committer	Matthew Somerville <matthew-github@dracos.co.uk>	2016-07-06 12:58:57 +0100
commit	9d8ae07980bccd58e11acbc82e60b651ed20c181 (patch)
tree	ccfa198d3ec4bc0a0d903b8c59d89efa32c3ccc7 /templates
parent	f0911da291b55801e69132a4d6f0a312089fdc18 (diff)