Ticket #510: csrf-protection.patch

models/auth.py

@@ -222 +222 @@
-    def _module_log_action(user_id, content_type_id, object_id, object_repr, action_flag, change_message=''):
-        e = LogEntry(None, None, user_id, content_type_id, object_id, object_repr[:200], action_flag, change_message)
-        e.save()
+
+class CsrfToken(meta.Model):
+    token = meta.CharField(maxlength=200)
+    issued = meta.DateTimeField(auto_now=True)
+    user = meta.ForeignKey(User)
+    class META:
+        module_name = 'csrf'
+        verbose_name_plural = 'CSRF tokens'
+        db_table = 'auth_csrf_tokens'
+        ordering = ('-issued',)
+
+    def __repr__(self):
+        return self.token
+

conf/admin_templates/delete_confirmation_generic.html

@@ -2 +2 @@
-
-{% block content %}
-
+{% if csrf_failed %}<p class="errornote">CSRF protection: Please re-submit.</p>{% endif %}
+
-{% if perms_lacking %}
-    <p>Deleting the {{ object_name }} "{{ object }}" would result in deleting related objects, but your account doesn't have permission to delete the following types of objects:</p>
-    <ul>
@@ -15 +17 @@
-    <form action="" method="post">
-    <input type="hidden" name="post" value="yes" />
-    <input type="submit" value="Yes, I'm sure" />
+    {% load csrf %}{% csrf_token %}
-    </form>
-{% endif %}
-

templatetags/csrf.py

@@ +1 @@
+from django.core import template
+from django.models.auth import csrf
+import random, md5, datetime
+
+class CsrfTokenNode(template.Node):
+    def render(self, context):
+        token = md5.new(str(random.random())).hexdigest()
+        ct = csrf.CsrfToken(None, token, 
+            datetime.datetime.now(), context['user'].id)
+        ct.save()
+        return '<input type="hidden" name="csrf_token" value="%s">' % token
+
+def csrf_token(parser, token):
+    """
+    {% csrf_token %}
+    """
+    return CsrfTokenNode()
+
+template.register_tag('csrf_token', csrf_token)

views/admin/main.py

@@ -588 +588 @@
-    if opts.admin.save_on_top:
-        t.extend(_get_submit_row_template(opts, app_label, add, change, show_delete, ordered_objects))
-    t.append('{% if form.error_dict %}<p class="errornote">Please correct the error{{ form.error_dict.items|pluralize }} below.</p>{% endif %}\n')
+    t.append('{% if csrf_failed %}<p class="errornote">CSRF protection: Please re-submit.</p>{% endif %}\n')
-    for fieldset_name, options in admin_field_objs:
-        t.append('<fieldset class="module aligned %s">\n\n' % options.get('classes', ''))
-        if fieldset_name:
@@ -687 +688 @@
-        t.append('<li id="p{%% firstof %(x)s %%}"><span id="handlep{%% firstof %(x)s %%}">{{ object|truncatewords:"5" }}</span></li>' % \
-            {'x': ' '.join(['object.%s' % o.pk.name for o in ordered_objects])})
-        t.append('{% endfor %}</ul>{% endif %}\n')
+    t.append('{% load csrf %}{% csrf_token %}\n')
-    t.append('</form>\n</div>\n{% endblock %}')
-    return ''.join(t)
-
@@ -759 +761 @@
-        t.append('{% endif %}')
-    return ''.join(t)
-
+def csrf_token_check(request):
+    from django.models.auth import csrf
+    try:
+        token = csrf.get_object(token__exact = request.POST.get('csrf_token', ''),
+            select = {'user_id': request.user.id})
+    except csrf.CsrfTokenDoesNotExist:
+        return False
+    token.delete()
+    return True
+
-def add_stage(request, app_label, module_name, show_delete=False, form_url='', post_url='../', post_url_continue='../%s/', object_id_override=None):
-    mod, opts = _get_mod_opts(app_label, module_name)
-    if not request.user.has_perm(app_label + '.' + opts.get_add_permission()):
-        raise PermissionDenied
-    manipulator = mod.AddManipulator()
+    csrf_failed = False
-    if request.POST:
-        new_data = request.POST.copy()
-        if opts.has_field_type(meta.FileField):
-            new_data.update(request.FILES)
-        errors = manipulator.get_validation_errors(new_data)
-
+
+
+
-            for f in opts.many_to_many:
-                if f.rel.raw_id_admin:
-                    new_data.setlist(f.name, new_data[f.name].split(","))
@@ -844 +859 @@
-        'title': 'Add %s' % opts.verbose_name,
-        "form": form,
-        "is_popup": request.REQUEST.has_key("_popup"),
+        "csrf_failed": csrf_failed,
-    })
-    if object_id_override is not None:
-        c['object_id'] = object_id_override
@@ -864 +880 @@
-        raise Http404
-
-    inline_related_objects = opts.get_inline_related_objects()
+    csrf_failed = False
-    if request.POST:
-        new_data = request.POST.copy()
-        if opts.has_field_type(meta.FileField):
-            new_data.update(request.FILES)
-
-        errors = manipulator.get_validation_errors(new_data)
-
+
+
+
-            for f in opts.many_to_many:
-                if f.rel.raw_id_admin:
-                    new_data.setlist(f.name, new_data[f.name].split(","))
@@ -969 +988 @@
-        "form": form,
-        'object_id': object_id,
-        'original': manipulator.original_object,
-
+
+
-    })
-    raw_template = _get_template(opts, app_label, change=True)
-#     return HttpResponse(raw_template, mimetype='text/plain')
@@ -1073 +1093 @@
-    deleted_objects = ['%s: <a href="../../%s/">%s</a>' % (capfirst(opts.verbose_name), object_id, strip_tags(repr(obj))), []]
-    perms_needed = sets.Set()
-    _get_deleted_objects(deleted_objects, perms_needed, request.user, obj, opts, 1)
-
-
+
+
+
+
-        if perms_needed:
-            raise PermissionDenied
-        obj_repr = repr(obj)
@@ -1089 +1111 @@
-        "object": obj,
-        "deleted_objects": deleted_objects,
-        "perms_lacking": perms_needed,
+        "csrf_failed": csrf_failed,
-    })
-    return HttpResponse(t.render(c), mimetype='text/html; charset=utf-8')
-