You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by tv...@apache.org on 2013/12/05 23:17:08 UTC
[1/9] git commit: [#5475] ticket:493 Remove csrf token from GET forms
Updated Branches:
refs/heads/tv/6941 50abb91e9 -> 0aedbc9f4 (forced update)
[#5475] ticket:493 Remove csrf token from GET forms
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/9c4b569d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/9c4b569d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/9c4b569d
Branch: refs/heads/tv/6941
Commit: 9c4b569d1fed1b5880f915e4e4872dacce46c86f
Parents: 5042b1d
Author: Igor Bondarenko <je...@gmail.com>
Authored: Wed Nov 13 14:18:40 2013 +0200
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Dec 4 15:35:11 2013 +0000
----------------------------------------------------------------------
Allura/allura/ext/admin/templates/project_groups.html | 2 --
Allura/allura/ext/admin/templates/project_tools.html | 1 -
Allura/allura/ext/admin/templates/project_trove.html | 2 +-
Allura/allura/ext/user_profile/templates/send_message_form.html | 2 ++
Allura/allura/templates/jinja_master/sidebar_menu.html | 2 --
Allura/allura/templates/site_admin_new_projects.html | 1 -
Allura/allura/templates/widgets/admin_form.html | 2 +-
Allura/allura/templates/widgets/forge_form.html | 2 +-
Allura/allura/templates/widgets/moderate_posts.html | 2 +-
Allura/allura/templates/widgets/page_size.html | 2 --
Allura/allura/templates/widgets/search_results.html | 2 --
Allura/allura/templates/widgets/subscription_form.html | 2 +-
ForgeBlog/forgeblog/templates/blog/post_history.html | 1 -
ForgeBlog/forgeblog/templates/blog_widgets/post_form.html | 2 +-
.../forgediscussion/templates/discussion_widgets/add_forum.html | 2 +-
.../templates/discussion_widgets/add_forum_short.html | 2 +-
ForgeTracker/forgetracker/templates/tracker/search.html | 1 -
.../forgetracker/templates/tracker_widgets/options_admin.html | 2 +-
.../templates/tracker_widgets/ticket_search_results.html | 2 --
19 files changed, 11 insertions(+), 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/ext/admin/templates/project_groups.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/project_groups.html b/Allura/allura/ext/admin/templates/project_groups.html
index 7783f70..54f7c26 100644
--- a/Allura/allura/ext/admin/templates/project_groups.html
+++ b/Allura/allura/ext/admin/templates/project_groups.html
@@ -45,7 +45,6 @@
{% endmacro %}
{% block content %}
- {{lib.csrf_token()}}
<p>Project permissions are assigned to groups of users. Add users to a group appropriate to the role they fill in your project. <a href="#" id="show_help">more...</a></p>
<div id="help_text" style="display:none">
<p>By default, your project has three groups of progressively more privileged users (Member, Developer, and Admin groups). There are also catch alls for any logged in user (Authenticated) and any user even if they aren't logged in (Anonymous). Permissions allowed to a less privileged group are inherited by more privileged ones.</p>
@@ -85,7 +84,6 @@
<input type="text" placeholder="type a username">
<input type="submit" value="Save" class="nofloat">
<a href="#" class="cancel_link">cancel</a>
- {{lib.csrf_token()}}
</form>
</li>
<li class="adder">
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/ext/admin/templates/project_tools.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/project_tools.html b/Allura/allura/ext/admin/templates/project_tools.html
index dc193c1..f70996c 100644
--- a/Allura/allura/ext/admin/templates/project_tools.html
+++ b/Allura/allura/ext/admin/templates/project_tools.html
@@ -150,7 +150,6 @@
<div class="grid-13">
<input type="button" value="Delete" class="continue_delete"> <input type="button" value="Cancel" class="cancel_delete close">
</div>
- {{lib.csrf_token()}}
</form>
{{c.admin_modal.display(content='<h1 id="popup_title"></h1><div id="popup_contents"></div>')}}
{{c.mount_delete.display(content='<h1>Confirm Delete</h1>')}}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/ext/admin/templates/project_trove.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/project_trove.html b/Allura/allura/ext/admin/templates/project_trove.html
index fbd220c..dd7bd51 100644
--- a/Allura/allura/ext/admin/templates/project_trove.html
+++ b/Allura/allura/ext/admin/templates/project_trove.html
@@ -108,7 +108,7 @@
insertAfter = this;
}
});
- var $newItem = $('<div><span class="trove_fullpath">'+resp.trove_full_path+'</span> <form class="trove_deleter"><input type="hidden" name="type" value="'+type+'"><input type="hidden" name="trove" value="'+new_id+'">'+del_btn+'</form>{{lib.csrf_token()}}</div>');
+ var $newItem = $('<div><span class="trove_fullpath">'+resp.trove_full_path+'</span> <form class="trove_deleter"><input type="hidden" name="type" value="'+type+'"><input type="hidden" name="trove" value="'+new_id+'">'+del_btn+'</form></div>');
if (insertAfter) {
$newItem.insertAfter(insertAfter);
} else {
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/ext/user_profile/templates/send_message_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/user_profile/templates/send_message_form.html b/Allura/allura/ext/user_profile/templates/send_message_form.html
index 9a2b0df..1a083ac 100644
--- a/Allura/allura/ext/user_profile/templates/send_message_form.html
+++ b/Allura/allura/ext/user_profile/templates/send_message_form.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<div class="editbox">
<div class="grid-19">
<b>To:</b> <a href="{{user.url()}}">{{user.display_name|default(user.username)}}</a>
@@ -25,6 +26,7 @@
</div>
<div class="grid-19"> </div>
<form method="{{method}}" action="{{action}}">
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
<div class="grid-19">
<label class="cr">Subject:</label>
{{widget.display_field(widget.fields.subject)}}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/templates/jinja_master/sidebar_menu.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html b/Allura/allura/templates/jinja_master/sidebar_menu.html
index 5f82e64..08beed2 100644
--- a/Allura/allura/templates/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates/jinja_master/sidebar_menu.html
@@ -16,7 +16,6 @@
specific language governing permissions and limitations
under the License.
-#}
-{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
{% set ul_active = [] %}
{% macro sidebar_item(s) -%}
{% if s.url %}
@@ -42,7 +41,6 @@
{% if c.app and c.app.searchable %}
<form id="search" method="GET" action="{{c.app.url + 'search/'}}">
<input name="q" type="text" title="Search {{c.app.config.options.mount_label}}" placeholder="Search {{c.app.config.options.mount_label}}">
- {{lib.csrf_token()}}
</form>
{% else %}
<div> </div>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/templates/site_admin_new_projects.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/site_admin_new_projects.html b/Allura/allura/templates/site_admin_new_projects.html
index 46cad9a..f6dc2f0 100644
--- a/Allura/allura/templates/site_admin_new_projects.html
+++ b/Allura/allura/templates/site_admin_new_projects.html
@@ -34,7 +34,6 @@
<label for="end-dt">To: </label><input type="text" name="end-dt" id="end-dt" value="{{ window_end.strftime('%Y/%m/%d %H:%M:%S') }}">
</div>
<div class="grid-3"><input type="submit" value="Filter"></div>
- {{lib.csrf_token()}}
</form>
</div>
{{ _paging() }}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/templates/widgets/admin_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/admin_form.html b/Allura/allura/templates/widgets/admin_form.html
index 04e29b0..0c608d6 100644
--- a/Allura/allura/templates/widgets/admin_form.html
+++ b/Allura/allura/templates/widgets/admin_form.html
@@ -43,5 +43,5 @@
{% endfor %}
<a href="#" class="close">Cancel</a>
</div>
- {{lib.csrf_token()}}
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/templates/widgets/forge_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/forge_form.html b/Allura/allura/templates/widgets/forge_form.html
index 6ab41d4..c62404e 100644
--- a/Allura/allura/templates/widgets/forge_form.html
+++ b/Allura/allura/templates/widgets/forge_form.html
@@ -54,5 +54,5 @@
{% endif %}
{% if widget.antispam %}{% for fld in g.antispam.extra_fields() %}
{{fld}}{% endfor %}{% endif %}
- {{lib.csrf_token()}}
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/templates/widgets/moderate_posts.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/moderate_posts.html b/Allura/allura/templates/widgets/moderate_posts.html
index e06fc12..7a81e1e 100644
--- a/Allura/allura/templates/widgets/moderate_posts.html
+++ b/Allura/allura/templates/widgets/moderate_posts.html
@@ -66,5 +66,5 @@
{% endfor %}
</tbody>
</table>
- {{lib.csrf_token()}}
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/templates/widgets/page_size.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/page_size.html b/Allura/allura/templates/widgets/page_size.html
index 99fc3ac..baed90a 100644
--- a/Allura/allura/templates/widgets/page_size.html
+++ b/Allura/allura/templates/widgets/page_size.html
@@ -16,7 +16,6 @@
specific language governing permissions and limitations
under the License.
-#}
-{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="get">
{% for k,v in widget.url_params.iteritems() %}
<input type="hidden" name="{{k}}" value="{{v}}"/>
@@ -35,5 +34,4 @@
{% endif %}
result{% if limit|int != 1 %}s{% endif %} of {{count}} </strong></p>
{% endif %}
- {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/templates/widgets/search_results.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/search_results.html b/Allura/allura/templates/widgets/search_results.html
index 74b9134..464dab4 100644
--- a/Allura/allura/templates/widgets/search_results.html
+++ b/Allura/allura/templates/widgets/search_results.html
@@ -16,7 +16,6 @@
specific language governing permissions and limitations
under the License.
-#}
-{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="GET" action=".">
<div class="grid-10">
<input type="text" name="q" value="{{q}}" class="search-query" title="Search App"/>
@@ -53,7 +52,6 @@
<input id="search-history" type="checkbox" name="history"{% if history %} checked{% endif %}>
{% endif %}
</div>
- {{lib.csrf_token()}}
</form>
<div style="clear:both"> </div>
{% if search_error %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/Allura/allura/templates/widgets/subscription_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/subscription_form.html b/Allura/allura/templates/widgets/subscription_form.html
index 45aed2a..1a58efe 100644
--- a/Allura/allura/templates/widgets/subscription_form.html
+++ b/Allura/allura/templates/widgets/subscription_form.html
@@ -27,7 +27,7 @@
<input type="submit" value="Update email subscriptions"/>
{% endif %}
</p>
- {{lib.csrf_token()}}
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
{{widget.fields['page_list'].display(limit=limit, page=page, count=count)}}
{{widget.fields['page_size'].display(limit=limit, page=page, count=count)}}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/ForgeBlog/forgeblog/templates/blog/post_history.html
----------------------------------------------------------------------
diff --git a/ForgeBlog/forgeblog/templates/blog/post_history.html b/ForgeBlog/forgeblog/templates/blog/post_history.html
index 2fb74e8..fd1efbf 100644
--- a/ForgeBlog/forgeblog/templates/blog/post_history.html
+++ b/ForgeBlog/forgeblog/templates/blog/post_history.html
@@ -51,6 +51,5 @@
{% endfor %}
</tbody>
</table>
- {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html
----------------------------------------------------------------------
diff --git a/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html b/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html
index 66e3b4d..5ec530f 100644
--- a/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html
+++ b/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html
@@ -51,6 +51,6 @@
</div>
{% if widget.antispam %}{% for fld in g.antispam.extra_fields() %}
{{fld}}{% endfor %}{% endif %}
- {{lib.csrf_token()}}
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
</div>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html b/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html
index b483c92..f53d42d 100644
--- a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html
+++ b/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html
@@ -48,7 +48,7 @@
<input type="button" id="add_forum_cancel" value="Cancel">
</div>
</div>
- {{lib.csrf_token()}}
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
<script type="text/javascript">
function addLoadEvent(func) {
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html b/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html
index 273a00e..9c6bdf7 100644
--- a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html
+++ b/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html
@@ -48,7 +48,7 @@
<input type="submit" id="new_forum.create" name="new_forum.create" value="Save">
<a id="add_forum_cancel" class="btn link">Cancel</a>
</div>
- {{lib.csrf_token()}}
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
<script type="text/javascript">
{% for field in widget.fields %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/ForgeTracker/forgetracker/templates/tracker/search.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker/search.html b/ForgeTracker/forgetracker/templates/tracker/search.html
index a690830..c355f47 100644
--- a/ForgeTracker/forgetracker/templates/tracker/search.html
+++ b/ForgeTracker/forgetracker/templates/tracker/search.html
@@ -74,7 +74,6 @@
<input type="button" value="Update Search" id="save_search"/>
{% endif %}
<input type="submit" value="Search"/>
- {{lib.csrf_token()}}
</form>
<a href="{{tg.url(c.app.url + 'search_help/')}}" target="_blank" class="btn search_help_modal"><b data-icon="{{g.icons['help'].char}}" class="ico {{g.icons['help'].css}}"></b> Help</a>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
index 2483917..e07cb37 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
@@ -45,5 +45,5 @@
{% endfor %}
<a href="#" onclick="window.history.back(); return false;" class="close">Cancel</a>
</div>
- {{lib.csrf_token()}}
+ {% if method.upper() == 'POST' %}{{lib.csrf_token()}}{% endif %}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/9c4b569d/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
index 91ee78a..2c5bb6c 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
@@ -17,7 +17,6 @@
under the License.
-#}
{% from 'allura:templates/jinja_master/lib.html' import abbr_date with context %}
-{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<div id="ticket_search_results_holder" style="clear:both">
{% if solr_error %}<p>{{solr_error}}</p>{% endif %}
{{widget.fields['page_size'].display(page=page, count=count, limit=limit)}}
@@ -104,7 +103,6 @@
{% if h.has_access(c.app, 'configure') %}
<a href="{{c.project.url()}}admin/{{c.app.config.options.mount_point}}/fields">Change field settings permanently.</a>
{% endif %}
- {{lib.csrf_token()}}
</form>
{{widget.fields['lightbox'].display()}}
{% endif %}
[8/9] git commit: [#6941] Don't break on svn commit _id,
which contains ':'
Posted by tv...@apache.org.
[#6941] Don't break on svn commit _id, which contains ':'
Signed-off-by: Tim Van Steenburgh <tv...@gmail.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/83bb21c3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/83bb21c3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/83bb21c3
Branch: refs/heads/tv/6941
Commit: 83bb21c3d2b42fa788ed1b444626bd660cd008eb
Parents: 1edeb4a
Author: Tim Van Steenburgh <tv...@gmail.com>
Authored: Wed Dec 4 01:18:57 2013 +0000
Committer: Tim Van Steenburgh <tv...@gmail.com>
Committed: Thu Dec 5 21:03:28 2013 +0000
----------------------------------------------------------------------
Allura/allura/model/timeline.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/83bb21c3/Allura/allura/model/timeline.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/timeline.py b/Allura/allura/model/timeline.py
index 38550b8..a80e5ba 100644
--- a/Allura/allura/model/timeline.py
+++ b/Allura/allura/model/timeline.py
@@ -67,7 +67,7 @@ def perm_check(user):
if not extras_dict: return True
allura_id = extras_dict.get('allura_id')
if not allura_id: return True
- classname, _id = allura_id.split(':')
+ classname, _id = allura_id.split(':', 1)
cls = Mapper.by_classname(classname).mapped_class
try:
_id = bson.ObjectId(_id)
[6/9] git commit: [#5475] ticket:493 Add CsrfForm and use it instead
of SimpleForm where needed
Posted by tv...@apache.org.
[#5475] ticket:493 Add CsrfForm and use it instead of SimpleForm where needed
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/3ca3e1a9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/3ca3e1a9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/3ca3e1a9
Branch: refs/heads/tv/6941
Commit: 3ca3e1a9dd53812c35b86bc03fb75e05a693c2ec
Parents: 9c4b569
Author: Igor Bondarenko <je...@gmail.com>
Authored: Mon Nov 25 16:15:21 2013 +0200
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Dec 4 15:35:12 2013 +0000
----------------------------------------------------------------------
Allura/allura/ext/admin/widgets.py | 10 ++++++----
Allura/allura/lib/widgets/discuss.py | 4 ++--
Allura/allura/lib/widgets/forms.py | 11 +++++++++++
Allura/allura/lib/widgets/subscriptions.py | 3 ++-
ForgeDiscussion/forgediscussion/widgets/forum_widgets.py | 11 +++++++----
5 files changed, 28 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/3ca3e1a9/Allura/allura/ext/admin/widgets.py
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/widgets.py b/Allura/allura/ext/admin/widgets.py
index 85d9237..8eed0be 100644
--- a/Allura/allura/ext/admin/widgets.py
+++ b/Allura/allura/ext/admin/widgets.py
@@ -110,12 +110,14 @@ class PermissionCard(CardField):
return role._id
-class GroupSettings(ew.SimpleForm):
+class GroupSettings(ff.CsrfForm):
submit_text=None
- class hidden_fields(ew_core.NameList):
- _id = ew.HiddenField(
- validator=V.Ming(M.ProjectRole))
+ @property
+ def hidden_fields(self):
+ f = super(GroupSettings, self).hidden_fields
+ f.append(ew.HiddenField(name='_id', validator=V.Ming(M.ProjectRole)))
+ return f
class fields(ew_core.NameList):
name = ew.InputField(label='Name')
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/3ca3e1a9/Allura/allura/lib/widgets/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/widgets/discuss.py b/Allura/allura/lib/widgets/discuss.py
index eaec991..151a0c2 100644
--- a/Allura/allura/lib/widgets/discuss.py
+++ b/Allura/allura/lib/widgets/discuss.py
@@ -34,7 +34,7 @@ class NullValidator(fev.FancyValidator):
def _from_python(self, value, state): return value
# Discussion forms
-class ModerateThread(ew.SimpleForm):
+class ModerateThread(ff.CsrfForm):
defaults=dict(
ew.SimpleForm.defaults,
submit_text=None)
@@ -453,6 +453,6 @@ class Discussion(HierWidget):
discussion_header=DiscussionHeader(),
edit_post=EditPost(submit_text='New Topic'),
subscription_form=SubscriptionForm())
-
+
def resources(self):
for r in super(Discussion, self).resources(): yield r
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/3ca3e1a9/Allura/allura/lib/widgets/forms.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py
index 4e1dae4..d99de0f 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -957,3 +957,14 @@ class MoveTicketForm(ForgeForm):
self.fields.tracker.options = (
[ew.Option(py_value=v, label=l, selected=s)
for v, l, s in sorted(trackers, key=lambda x: x[1])])
+
+
+class CsrfForm(ew.SimpleForm):
+ @property
+ def hidden_fields(self):
+ return [ew.HiddenField(name='_session_id')]
+ def context_for(self, field):
+ ctx = super(CsrfForm, self).context_for(field)
+ if field.name == '_session_id':
+ ctx['value'] = tg.request.cookies['_session_id']
+ return ctx
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/3ca3e1a9/Allura/allura/lib/widgets/subscriptions.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/widgets/subscriptions.py b/Allura/allura/lib/widgets/subscriptions.py
index a0a1bc3..3f68d58 100644
--- a/Allura/allura/lib/widgets/subscriptions.py
+++ b/Allura/allura/lib/widgets/subscriptions.py
@@ -22,6 +22,7 @@ import ew.jinja2_ew as ew
from allura.lib import validators as V
from allura.lib.widgets import form_fields as ffw
+from allura.lib.widgets.forms import CsrfForm
from allura import model as M
from .form_fields import SubmitButton
@@ -44,7 +45,7 @@ class _SubscriptionTable(ew.TableField):
# unsubscribe = SubmitButton()
subscribed = ew.Checkbox(suppress_label=True)
-class SubscriptionForm(ew.SimpleForm):
+class SubscriptionForm(CsrfForm):
defaults=dict(
ew.SimpleForm.defaults,
submit_text='Save')
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/3ca3e1a9/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py b/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py
index 5df5370..1b04323 100644
--- a/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py
+++ b/ForgeDiscussion/forgediscussion/widgets/forum_widgets.py
@@ -24,6 +24,7 @@ import ew.jinja2_ew as ew
from allura.lib import validators as V
from allura.lib.widgets import discuss as DW
from allura.lib.widgets import form_fields as ffw
+from allura.lib.widgets.forms import CsrfForm
from allura.lib.widgets.subscriptions import SubscribeForm
from forgediscussion import model as M
@@ -46,7 +47,7 @@ class _ForumsTable(ew.TableField):
subscribed=ew.Checkbox(suppress_label=True, show_label=True)
fields.insert(0, _ForumSummary())
-class ForumSubscriptionForm(ew.SimpleForm):
+class ForumSubscriptionForm(CsrfForm):
class fields(ew_core.NameList):
forums=_ForumsTable()
page_list=ffw.PageList()
@@ -95,22 +96,24 @@ class _ForumSelector(ew.SingleSelectField):
def from_python(self, value, state):
return value.shortname
-class ModerateThread(ew.SimpleForm):
+class ModerateThread(CsrfForm):
submit_text='Save Changes'
class fields(ew_core.NameList):
discussion=_ForumSelector(label='New Forum')
flags=ew.CheckboxSet(options=['Sticky', 'Announcement'])
+
class buttons(ew_core.NameList):
delete=ew.SubmitButton(label='Delete Thread')
-class ModeratePost(ew.SimpleForm):
+
+class ModeratePost(CsrfForm):
submit_text=None
fields=[
ew.FieldSet(legend='Promote post to its own thread', fields=[
ew.TextField(name='subject', label='Thread title'),
ew.SubmitButton(name='promote', label='Promote to thread')])]
-class PromoteToThread(ew.SimpleForm):
+class PromoteToThread(CsrfForm):
submit_text=None
fields=[
ew.TextField(name='subject', label='Thread title'),
[5/9] git commit: [#5475] ticket:493 Use request.cookies.get()
instead of [] to prevent test failures
Posted by tv...@apache.org.
[#5475] ticket:493 Use request.cookies.get() instead of [] to prevent test failures
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/6426ead9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/6426ead9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/6426ead9
Branch: refs/heads/tv/6941
Commit: 6426ead9bae9368971816ee6d7dd718a0fcc3019
Parents: 3ca3e1a
Author: Igor Bondarenko <je...@gmail.com>
Authored: Mon Nov 25 17:20:18 2013 +0200
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Dec 4 15:35:12 2013 +0000
----------------------------------------------------------------------
Allura/allura/lib/widgets/forms.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/6426ead9/Allura/allura/lib/widgets/forms.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py
index d99de0f..e656fc0 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -966,5 +966,5 @@ class CsrfForm(ew.SimpleForm):
def context_for(self, field):
ctx = super(CsrfForm, self).context_for(field)
if field.name == '_session_id':
- ctx['value'] = tg.request.cookies['_session_id']
+ ctx['value'] = tg.request.cookies.get('_session_id')
return ctx
[9/9] git commit: [#6941] Check commit activity access against
original tool if possible.
Posted by tv...@apache.org.
[#6941] Check commit activity access against original tool if possible.
Signed-off-by: Tim Van Steenburgh <tv...@gmail.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/0aedbc9f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/0aedbc9f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/0aedbc9f
Branch: refs/heads/tv/6941
Commit: 0aedbc9f4c084b954f6ff6fcf458321d02cda75d
Parents: 83bb21c
Author: Tim Van Steenburgh <tv...@gmail.com>
Authored: Thu Dec 5 22:16:30 2013 +0000
Committer: Tim Van Steenburgh <tv...@gmail.com>
Committed: Thu Dec 5 22:16:30 2013 +0000
----------------------------------------------------------------------
Allura/allura/model/discuss.py | 2 +-
Allura/allura/model/repo.py | 19 ++++++++++++++++++-
Allura/allura/model/timeline.py | 4 ++--
3 files changed, 21 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/0aedbc9f/Allura/allura/model/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/discuss.py b/Allura/allura/model/discuss.py
index df55ac9..7b4f306 100644
--- a/Allura/allura/model/discuss.py
+++ b/Allura/allura/model/discuss.py
@@ -476,7 +476,7 @@ class Post(Message, VersionedArtifact, ActivityObject):
def activity_name(self):
return 'a comment'
- def has_activity_access(self, perm, user):
+ def has_activity_access(self, perm, user, activity):
"""Return True if user has perm access to this object, otherwise
return False.
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/0aedbc9f/Allura/allura/model/repo.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/repo.py b/Allura/allura/model/repo.py
index 1ff6641..4a5d1ef 100644
--- a/Allura/allura/model/repo.py
+++ b/Allura/allura/model/repo.py
@@ -37,8 +37,10 @@ from ming.orm import mapper, session
from allura.lib import utils
from allura.lib import helpers as h
+from allura.lib.security import has_access
from .auth import User
+from .project import AppConfig, Project
from .session import main_doc_session, project_doc_session
from .session import repository_orm_session
from .timeline import ActivityObject
@@ -174,10 +176,25 @@ class Commit(RepoObject, ActivityObject):
def activity_name(self):
return self.shorthand_id()
- def has_activity_access(self, perm, user):
+ @property
+ def activity_extras(self):
+ d = ActivityObject.activity_extras.fget(self)
+ d.update(summary=self.summary)
+ if self.repo:
+ d.update(app_config_id=self.repo.app.config._id)
+ return d
+
+ def has_activity_access(self, perm, user, activity):
"""Commits have no ACLs and are therefore always viewable by any user.
"""
+ app_config_id = activity.obj.activity_extras.get('app_config_id')
+ if app_config_id:
+ app_config = AppConfig.query.get(_id=app_config_id)
+ if app_config:
+ project = Project.query.get(_id=app_config.project_id)
+ app = app_config.load()(project, app_config)
+ return has_access(app, perm, user, project)
return True
def set_context(self, repo):
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/0aedbc9f/Allura/allura/model/timeline.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/timeline.py b/Allura/allura/model/timeline.py
index a80e5ba..b45118e 100644
--- a/Allura/allura/model/timeline.py
+++ b/Allura/allura/model/timeline.py
@@ -51,7 +51,7 @@ class ActivityObject(base.ActivityObjectBase):
"""
return "%s:%s" % (self.__class__.__name__, self._id)
- def has_activity_access(self, perm, user):
+ def has_activity_access(self, perm, user, activity):
"""Return True if user has perm access to this object, otherwise
return False.
"""
@@ -74,5 +74,5 @@ def perm_check(user):
except bson.errors.InvalidId:
pass
obj = cls.query.get(_id=_id)
- return obj and obj.has_activity_access('read', user)
+ return obj and obj.has_activity_access('read', user, activity)
return _perm_check
[4/9] git commit: [#5475] ticket:472 JS CSFR protecion has moved to
csfr_token Jinja macro
Posted by tv...@apache.org.
[#5475] ticket:472 JS CSFR protecion has moved to csfr_token Jinja macro
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/127ea61f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/127ea61f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/127ea61f
Branch: refs/heads/tv/6941
Commit: 127ea61f69d6994ccd6e085ed687a0a6486439c7
Parents: 6449dbb
Author: Andrej Aleksandrov <pi...@gmail.com>
Authored: Thu Nov 7 10:52:00 2013 +0200
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Dec 4 15:35:11 2013 +0000
----------------------------------------------------------------------
Allura/allura/public/nf/js/allura-base.js | 4 ----
Allura/allura/templates/jinja_master/lib.html | 7 +++++++
Allura/allura/templates/widgets/forge_form.html | 2 ++
3 files changed, 9 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/127ea61f/Allura/allura/public/nf/js/allura-base.js
----------------------------------------------------------------------
diff --git a/Allura/allura/public/nf/js/allura-base.js b/Allura/allura/public/nf/js/allura-base.js
index 5973609..e6e205e 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -213,10 +213,6 @@ $(function(){
}
});
- // Provide CSRF protection
- var cval = $.cookie('_session_id');
- $('form[method=post]').append('<input name="_session_id" type="hidden" value="'+cval+'">');
-
var SN_ID=0, SN_VIEWS=1, SN_CLOSED=2;
$('#site-notification .btn-close').click(function(e) {
var $note = $(this).parent();
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/127ea61f/Allura/allura/templates/jinja_master/lib.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/jinja_master/lib.html b/Allura/allura/templates/jinja_master/lib.html
index 8f6ddf2..4162368 100644
--- a/Allura/allura/templates/jinja_master/lib.html
+++ b/Allura/allura/templates/jinja_master/lib.html
@@ -16,6 +16,13 @@
specific language governing permissions and limitations
under the License.
-#}
+
+{% macro csrf_token() -%}
+ {% if request %}
+ <input name="_session_id" type="hidden" value="{{request.cookies['_session_id']}}">
+ {% endif %}
+{%- endmacro %}
+
{% macro related_artifacts(artifact) -%}
{% set related_artifacts = artifact.related_artifacts() %}
{% if related_artifacts %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/127ea61f/Allura/allura/templates/widgets/forge_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/forge_form.html b/Allura/allura/templates/widgets/forge_form.html
index adbc01c..de20c42 100644
--- a/Allura/allura/templates/widgets/forge_form.html
+++ b/Allura/allura/templates/widgets/forge_form.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="{{method}}"
{% if enctype %}enctype="{{enctype}}"{% endif %}
{% if target %}target="{{target}}"{% endif %}
@@ -53,4 +54,5 @@
{% endif %}
{% if widget.antispam %}{% for fld in g.antispam.extra_fields() %}
{{fld}}{% endfor %}{% endif %}
+ {{lib.csrf_token()}}
</form>
[3/9] git commit: [#5475] ticket:473 CSRF token was added to all
hand-coded forms
Posted by tv...@apache.org.
[#5475] ticket:473 CSRF token was added to all hand-coded forms
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/d778f65a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/d778f65a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/d778f65a
Branch: refs/heads/tv/6941
Commit: d778f65aa1ec893ce3a69129b6d14417bf8d3800
Parents: 127ea61
Author: Andrej Aleksandrov <pi...@gmail.com>
Authored: Fri Nov 8 15:11:57 2013 +0200
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Dec 4 15:35:11 2013 +0000
----------------------------------------------------------------------
.../ext/admin/templates/admin_widgets/metadata_admin.html | 2 ++
Allura/allura/ext/admin/templates/export.html | 1 +
Allura/allura/ext/admin/templates/project_groups.html | 2 ++
Allura/allura/ext/admin/templates/project_invitations.html | 1 +
Allura/allura/ext/admin/templates/project_permissions.html | 1 +
Allura/allura/ext/admin/templates/project_tools.html | 5 +++++
Allura/allura/ext/admin/templates/project_trove.html | 5 ++++-
Allura/allura/ext/admin/templates/widgets/block_list.html | 2 ++
Allura/allura/ext/admin/templates/widgets/block_user.html | 2 ++
Allura/allura/templates/app_admin_options.html | 2 ++
Allura/allura/templates/app_admin_permissions.html | 1 +
Allura/allura/templates/award.html | 1 +
Allura/allura/templates/claim_openid.html | 1 +
Allura/allura/templates/jinja_master/sidebar_menu.html | 2 ++
Allura/allura/templates/login.html | 1 +
Allura/allura/templates/neighborhood_admin_accolades.html | 4 ++++
Allura/allura/templates/neighborhood_moderate.html | 2 ++
Allura/allura/templates/oauth_applications.html | 3 +++
Allura/allura/templates/oauth_authorize.html | 1 +
Allura/allura/templates/repo/default_branch.html | 1 -
Allura/allura/templates/repo/fork.html | 1 +
Allura/allura/templates/repo/tarball.html | 1 +
Allura/allura/templates/repo/tree.html | 1 +
Allura/allura/templates/setup_openid_user.html | 1 +
Allura/allura/templates/site_admin_add_subscribers.html | 1 +
Allura/allura/templates/site_admin_api_tickets.html | 1 +
Allura/allura/templates/site_admin_new_projects.html | 1 +
Allura/allura/templates/site_admin_reclone_repo.html | 3 ++-
Allura/allura/templates/site_admin_task_new.html | 1 +
Allura/allura/templates/site_admin_task_view.html | 1 +
Allura/allura/templates/user_prefs.html | 3 +++
Allura/allura/templates/widgets/admin_form.html | 2 ++
Allura/allura/templates/widgets/attachment_add.html | 2 ++
Allura/allura/templates/widgets/attachment_list.html | 3 +++
Allura/allura/templates/widgets/edit_post.html | 2 ++
Allura/allura/templates/widgets/flag_post.html | 4 +++-
Allura/allura/templates/widgets/forge_form.html | 2 +-
Allura/allura/templates/widgets/moderate_post.html | 4 ++++
Allura/allura/templates/widgets/moderate_posts.html | 2 ++
Allura/allura/templates/widgets/neighborhood_add_project.html | 2 ++
Allura/allura/templates/widgets/neighborhood_overview_form.html | 1 +
Allura/allura/templates/widgets/new_topic_post.html | 2 ++
Allura/allura/templates/widgets/page_size.html | 2 ++
Allura/allura/templates/widgets/post_widget.html | 1 +
Allura/allura/templates/widgets/project_screenshots.html | 3 +++
Allura/allura/templates/widgets/search_results.html | 2 ++
Allura/allura/templates/widgets/subscription_form.html | 2 ++
Allura/allura/templates/widgets/vote.html | 2 ++
ForgeBlog/forgeblog/templates/blog/admin_exfeed.html | 2 ++
ForgeBlog/forgeblog/templates/blog/post_history.html | 1 +
ForgeBlog/forgeblog/templates/blog_widgets/post_form.html | 2 ++
.../forgediscussion/templates/discussion_widgets/add_forum.html | 1 +
.../templates/discussion_widgets/add_forum_short.html | 2 ++
.../templates/discussionforums/admin_forums.html | 2 ++
.../forgediscussion/templates/discussionforums/stats_graph.html | 4 +++-
ForgeImporters/forgeimporters/templates/importer_base.html | 1 +
ForgeImporters/forgeimporters/templates/project_base.html | 1 +
ForgeShortUrl/forgeshorturl/templates/form.html | 3 +++
ForgeTracker/forgetracker/templates/tracker/admin_fields.html | 1 +
ForgeTracker/forgetracker/templates/tracker/bin.html | 1 +
ForgeTracker/forgetracker/templates/tracker/milestones.html | 1 +
ForgeTracker/forgetracker/templates/tracker/search.html | 1 +
.../forgetracker/templates/tracker_widgets/bin_form.html | 2 ++
.../forgetracker/templates/tracker_widgets/mass_edit_form.html | 4 +++-
.../forgetracker/templates/tracker_widgets/options_admin.html | 2 ++
.../forgetracker/templates/tracker_widgets/ticket_form.html | 1 +
.../templates/tracker_widgets/ticket_search_results.html | 2 ++
ForgeWiki/forgewiki/templates/wiki/page_edit.html | 2 ++
68 files changed, 122 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/admin_widgets/metadata_admin.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/admin_widgets/metadata_admin.html b/Allura/allura/ext/admin/templates/admin_widgets/metadata_admin.html
index bfce390..a1a20ab 100644
--- a/Allura/allura/ext/admin/templates/admin_widgets/metadata_admin.html
+++ b/Allura/allura/ext/admin/templates/admin_widgets/metadata_admin.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="POST" action="update" enctype="multipart/form-data" id="metadata_form">
<div class="grid-9">
{{ widget.display_label(widget.fields.name) }}
@@ -170,4 +171,5 @@
<div class="grid-15">
<input type="submit" value="Save">
</div>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/export.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/export.html b/Allura/allura/ext/admin/templates/export.html
index a0620ad..a8081f1 100644
--- a/Allura/allura/ext/admin/templates/export.html
+++ b/Allura/allura/ext/admin/templates/export.html
@@ -56,6 +56,7 @@
</div>
{% endfor %}
<p><div class="grid-19"><input type="submit" value="Export" {% if status == 'busy' %}disabled{% endif %}></div></p>
+ {{lib.csrf_token()}}
</form>
{% else %}
There are no exportable tools in your project.
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/project_groups.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/project_groups.html b/Allura/allura/ext/admin/templates/project_groups.html
index 54f7c26..7783f70 100644
--- a/Allura/allura/ext/admin/templates/project_groups.html
+++ b/Allura/allura/ext/admin/templates/project_groups.html
@@ -45,6 +45,7 @@
{% endmacro %}
{% block content %}
+ {{lib.csrf_token()}}
<p>Project permissions are assigned to groups of users. Add users to a group appropriate to the role they fill in your project. <a href="#" id="show_help">more...</a></p>
<div id="help_text" style="display:none">
<p>By default, your project has three groups of progressively more privileged users (Member, Developer, and Admin groups). There are also catch alls for any logged in user (Authenticated) and any user even if they aren't logged in (Anonymous). Permissions allowed to a less privileged group are inherited by more privileged ones.</p>
@@ -84,6 +85,7 @@
<input type="text" placeholder="type a username">
<input type="submit" value="Save" class="nofloat">
<a href="#" class="cancel_link">cancel</a>
+ {{lib.csrf_token()}}
</form>
</li>
<li class="adder">
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/project_invitations.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/project_invitations.html b/Allura/allura/ext/admin/templates/project_invitations.html
index 7f4e63e..32c7e05 100644
--- a/Allura/allura/ext/admin/templates/project_invitations.html
+++ b/Allura/allura/ext/admin/templates/project_invitations.html
@@ -37,5 +37,6 @@
{% endfor %}
</select>
<input type="submit" value="Join Neighborhood"/>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/project_permissions.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/project_permissions.html b/Allura/allura/ext/admin/templates/project_permissions.html
index 186bd06..c1ef6c6 100644
--- a/Allura/allura/ext/admin/templates/project_permissions.html
+++ b/Allura/allura/ext/admin/templates/project_permissions.html
@@ -47,5 +47,6 @@
<input type="submit" value="Save">
<a href="" class="btn link cancel">Cancel</a>
</p>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/project_tools.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/project_tools.html b/Allura/allura/ext/admin/templates/project_tools.html
index 36f98f5..dc193c1 100644
--- a/Allura/allura/ext/admin/templates/project_tools.html
+++ b/Allura/allura/ext/admin/templates/project_tools.html
@@ -73,6 +73,7 @@
<div class="grid-13">
<input type="submit" value="Save" name="new.install"> <a href="#" class="close btn link">Cancel</a>
</div>
+ {{lib.csrf_token()}}
</form>
{{c.install_modal.display(content='<h1>Install <span id="install_tool_label">Tool</span></h1>')}}
@@ -108,6 +109,7 @@
{% if mount['ac'].load().uninstallable %}
<a href="#" class="mount_delete" data-mount-point="{{ mount['ac'].options.mount_point }}">Delete</a>
{% endif %}
+ {{lib.csrf_token()}}
</form>
</li>
{% endif %}
@@ -131,6 +133,7 @@
value="{{mount['sub'].shortname}}"/>
<input name="subproject-{{loop.index0}}.delete" type="hidden" value="Delete"/>
<a href="#" class="mount_delete" data-mount-point="{{ mount['sub'].shortname }}">Delete</a>
+ {{lib.csrf_token()}}
</form>
</li>
</ul>
@@ -147,6 +150,7 @@
<div class="grid-13">
<input type="button" value="Delete" class="continue_delete"> <input type="button" value="Cancel" class="cancel_delete close">
</div>
+ {{lib.csrf_token()}}
</form>
{{c.admin_modal.display(content='<h1 id="popup_title"></h1><div id="popup_contents"></div>')}}
{{c.mount_delete.display(content='<h1>Confirm Delete</h1>')}}
@@ -158,6 +162,7 @@
<input name="grouping_threshold" value="{{c.project.get_tool_data('allura', 'grouping_threshold', 1)}}"/>
</label>
<br/><input type="submit" value="Change"/>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/project_trove.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/project_trove.html b/Allura/allura/ext/admin/templates/project_trove.html
index fb799da..fbd220c 100644
--- a/Allura/allura/ext/admin/templates/project_trove.html
+++ b/Allura/allura/ext/admin/templates/project_trove.html
@@ -33,6 +33,7 @@
<input type="hidden" name="type" value="{{base.shortname}}">
<input type="hidden" name="trove" value="{{cat.trove_cat_id}}">
<input type="submit" value="Delete">
+ {{lib.csrf_token()}}
</form>
</div>
{% else %}
@@ -52,6 +53,7 @@
</select>
<br>
<input type="submit" value="Add">
+ {{lib.csrf_token()}}
</form>
</div>
{% endmacro %}
@@ -67,6 +69,7 @@
{{ c.label_edit.display(id='labels', name='labels', value=c.project.labels) }}
<br style="clear:both">
<input type="submit" value="Save">
+ {{lib.csrf_token()}}
</form>
</div>
{{show_trove_base_cat(topic_trove)}}
@@ -105,7 +108,7 @@
insertAfter = this;
}
});
- var $newItem = $('<div><span class="trove_fullpath">'+resp.trove_full_path+'</span> <form class="trove_deleter"><input type="hidden" name="type" value="'+type+'"><input type="hidden" name="trove" value="'+new_id+'">'+del_btn+'</form></div>');
+ var $newItem = $('<div><span class="trove_fullpath">'+resp.trove_full_path+'</span> <form class="trove_deleter"><input type="hidden" name="type" value="'+type+'"><input type="hidden" name="trove" value="'+new_id+'">'+del_btn+'</form>{{lib.csrf_token()}}</div>');
if (insertAfter) {
$newItem.insertAfter(insertAfter);
} else {
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/widgets/block_list.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/widgets/block_list.html b/Allura/allura/ext/admin/templates/widgets/block_list.html
index c3db3ba..0163a6f 100644
--- a/Allura/allura/ext/admin/templates/widgets/block_list.html
+++ b/Allura/allura/ext/admin/templates/widgets/block_list.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<h1>Block list</h1>
<form action="unblock_user" method="POST">
<div class="model-block-list"></div>
@@ -24,4 +25,5 @@
<hr>
<div class="grid-13"> </div>
<input type="submit" value="Unblock">
+{{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/ext/admin/templates/widgets/block_user.html
----------------------------------------------------------------------
diff --git a/Allura/allura/ext/admin/templates/widgets/block_user.html b/Allura/allura/ext/admin/templates/widgets/block_user.html
index 9f087c3..8b1ea92 100644
--- a/Allura/allura/ext/admin/templates/widgets/block_user.html
+++ b/Allura/allura/ext/admin/templates/widgets/block_user.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<h1>Block User</h1>
<form action="block_user" method="POST">
<label class="grid-13">User Name</label>
@@ -28,4 +29,5 @@
<div class="grid-13"> </div>
<input type="submit" value="Save">
<a href="#" class="close">Cancel</a>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/app_admin_options.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/app_admin_options.html b/Allura/allura/templates/app_admin_options.html
index 83a3aa6..8924823 100644
--- a/Allura/allura/templates/app_admin_options.html
+++ b/Allura/allura/templates/app_admin_options.html
@@ -17,6 +17,7 @@
under the License.
-#}
<!DOCTYPE html>
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="post" action="{{c.project.url()}}admin/{{app.config.options.mount_point}}/configure">
{% for o in app.config_options if o.name not in ['mount_point', 'mount_label', 'ordinal'] %}
<label for="{{o.name}}" class="grid-4">{{o.label}}</label>
@@ -43,4 +44,5 @@
<a href="#" class="close">Cancel</a>
</div>
{% endif %}
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/app_admin_permissions.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/app_admin_permissions.html b/Allura/allura/templates/app_admin_permissions.html
index 8f03987..7433ede 100644
--- a/Allura/allura/templates/app_admin_permissions.html
+++ b/Allura/allura/templates/app_admin_permissions.html
@@ -59,6 +59,7 @@
<input type="submit" value="Save">
<a href="{{c.app.url}}" class="btn link cancel">Cancel</a>
</p>
+ {{lib.csrf_token()}}
</form>
{{c.block_user.display()}}
{{c.block_list.display()}}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/award.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/award.html b/Allura/allura/templates/award.html
index 503714f..329b8b2 100644
--- a/Allura/allura/templates/award.html
+++ b/Allura/allura/templates/award.html
@@ -58,6 +58,7 @@
</tr>
</tbody>
</table>
+ {{lib.csrf_token()}}
</form>
<p><a href="../../accolades"><< Back</a></p>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/claim_openid.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/claim_openid.html b/Allura/allura/templates/claim_openid.html
index 7421dfa..4d61d1e 100644
--- a/Allura/allura/templates/claim_openid.html
+++ b/Allura/allura/templates/claim_openid.html
@@ -42,6 +42,7 @@
<div class="grid-18">
<input type="submit" id="submit" value="Claim">
</div>
+ {{lib.csrf_token()}}
</form>
</div>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/jinja_master/sidebar_menu.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/jinja_master/sidebar_menu.html b/Allura/allura/templates/jinja_master/sidebar_menu.html
index 08beed2..5f82e64 100644
--- a/Allura/allura/templates/jinja_master/sidebar_menu.html
+++ b/Allura/allura/templates/jinja_master/sidebar_menu.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
{% set ul_active = [] %}
{% macro sidebar_item(s) -%}
{% if s.url %}
@@ -41,6 +42,7 @@
{% if c.app and c.app.searchable %}
<form id="search" method="GET" action="{{c.app.url + 'search/'}}">
<input name="q" type="text" title="Search {{c.app.config.options.mount_label}}" placeholder="Search {{c.app.config.options.mount_label}}">
+ {{lib.csrf_token()}}
</form>
{% else %}
<div> </div>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/login.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/login.html b/Allura/allura/templates/login.html
index fef3f7f..9153679 100644
--- a/Allura/allura/templates/login.html
+++ b/Allura/allura/templates/login.html
@@ -47,6 +47,7 @@
<div class="grid-18"><input type="text" id="username_oid" name="username"/></div>
<label class="grid-4"> </label>
<div class="grid-18"><input type="submit" id="submit_oid" value="Login"/></div>
+ {{lib.csrf_token()}}
</form>
</div>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/neighborhood_admin_accolades.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/neighborhood_admin_accolades.html b/Allura/allura/templates/neighborhood_admin_accolades.html
index 2f6d82f..a092baa 100644
--- a/Allura/allura/templates/neighborhood_admin_accolades.html
+++ b/Allura/allura/templates/neighborhood_admin_accolades.html
@@ -57,6 +57,7 @@
<td>
<form action="{{award.longurl()}}/delete" method="post">
<input type="submit" value="Delete"/>
+ {{lib.csrf_token()}}
</form>
</tr>
{% endfor %}
@@ -94,6 +95,7 @@
</tr>
</tbody>
</table>
+ {{lib.csrf_token()}}
</form>
{% if awards_count > 0 %}
@@ -126,6 +128,7 @@
</tr>
</tbody>
</table>
+ {{lib.csrf_token()}}
</form>
</p>
{% endif %}
@@ -150,6 +153,7 @@
<td>
<form action="{{grant.longurl()}}/revoke" method="post">
<input type="submit" value="Revoke"/>
+ {{lib.csrf_token()}}
</form>
</tr>
{% endfor %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/neighborhood_moderate.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/neighborhood_moderate.html b/Allura/allura/templates/neighborhood_moderate.html
index 5fe5c3f..c164140 100644
--- a/Allura/allura/templates/neighborhood_moderate.html
+++ b/Allura/allura/templates/neighborhood_moderate.html
@@ -47,6 +47,7 @@
</p>
<input type="submit" name="invite" value="Invite!"/>
<input type="submit" name="uninvite" value="Cancel Invitation!"/>
+ {{lib.csrf_token()}}
</form>
@@ -62,5 +63,6 @@
{% endfor %}
</select>
<input type="submit" value="Evict!"/>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/oauth_applications.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/oauth_applications.html b/Allura/allura/templates/oauth_applications.html
index 6bc90a3..3742662 100644
--- a/Allura/allura/templates/oauth_applications.html
+++ b/Allura/allura/templates/oauth_applications.html
@@ -105,6 +105,7 @@
<form method="POST" action="revoke_access_token" class="revoke_access_token">
<input type="hidden" name="_id" value="{{access_token._id}}"/>
<input type="submit" value="Revoke"/>
+ {{lib.csrf_token()}}
</form>
</td>
</tr>
@@ -131,10 +132,12 @@
<form method="POST" action="deregister" class="deregister_consumer_token">
<input type="hidden" name="_id" value="{{consumer_token._id}}"/>
<input type="submit" value="Deregister"/>
+ {{lib.csrf_token()}}
</form>
<form method="POST" action="generate_access_token" class="generate_access_token">
<input type="hidden" name="_id" value="{{consumer_token._id}}"/>
<input type="submit" value="Generate Bearer Token"/>
+ {{lib.csrf_token()}}
</form>
</td>
</tr>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/oauth_authorize.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/oauth_authorize.html b/Allura/allura/templates/oauth_authorize.html
index 0aa0437..7177442 100644
--- a/Allura/allura/templates/oauth_authorize.html
+++ b/Allura/allura/templates/oauth_authorize.html
@@ -38,6 +38,7 @@
<input type="hidden" name="oauth_token" value="{{oauth_token}}"/>
<input type="submit" name="no" value="No, do not authorize {{ consumer.name }}">
<input type="submit" name="yes" value="Yes, authorize {{ consumer.name }}"><br>
+ {{lib.csrf_token()}}
</form>
<br style="clear:both"/>
<h2>{{consumer.name}}</h2>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/repo/default_branch.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/repo/default_branch.html b/Allura/allura/templates/repo/default_branch.html
index 6c20021..e72634a 100644
--- a/Allura/allura/templates/repo/default_branch.html
+++ b/Allura/allura/templates/repo/default_branch.html
@@ -16,7 +16,6 @@
specific language governing permissions and limitations
under the License.
-#}
-
<form action="{{c.project.url()}}admin/{{app.config.options.mount_point}}/set_default_branch_name" method="POST">
<label class="grid-13">Default branch name:</label>
<div class="grid-13">
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/repo/fork.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/repo/fork.html b/Allura/allura/templates/repo/fork.html
index b552273..b8698d5 100644
--- a/Allura/allura/templates/repo/fork.html
+++ b/Allura/allura/templates/repo/fork.html
@@ -47,5 +47,6 @@
<input type="submit" value="Fork"/>
</div>
{% endif %}
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/repo/tarball.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/repo/tarball.html b/Allura/allura/templates/repo/tarball.html
index f929433..d68430d 100644
--- a/Allura/allura/templates/repo/tarball.html
+++ b/Allura/allura/templates/repo/tarball.html
@@ -91,6 +91,7 @@ Commit <a href="{{commit.url()}}">{{commit.shorthand_id()}}</a> {{commit_labels(
<p>We're having trouble finding that snapshot. Would you like to resubmit?</p>
<input type="hidden" name="path" value="{{path}}" />
<input type="submit" value="Resubmit Snapshot Request" />
+ {{lib.csrf_token()}}
</form>
</div>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/repo/tree.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/repo/tree.html b/Allura/allura/templates/repo/tree.html
index 851ad38..e310056 100644
--- a/Allura/allura/templates/repo/tree.html
+++ b/Allura/allura/templates/repo/tree.html
@@ -59,6 +59,7 @@ form.tarball button:hover {
<form class="tarball" action="{{ tarball_url }}" method="post">
<input type="hidden" name="path" value="{{ path or '' }}" />
<button><b data-icon="{{g.icons.folder.char}}" class="ico {{g.icons.folder.css}}" title="Snapshot"></b> Download Snapshot</button>
+ {{lib.csrf_token()}}
</form>
{% endif %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/setup_openid_user.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/setup_openid_user.html b/Allura/allura/templates/setup_openid_user.html
index ee14125..6496b8f 100644
--- a/Allura/allura/templates/setup_openid_user.html
+++ b/Allura/allura/templates/setup_openid_user.html
@@ -31,6 +31,7 @@
<div class="grid-18"><input type="text" id="display_name" name="display_name"/></div>
<label class="grid-4"> </label>
<div class="grid-18"><input type="submit" value="Setup Account"/></div>
+ {{lib.csrf_token()}}
</form>
</div>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/site_admin_add_subscribers.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/site_admin_add_subscribers.html b/Allura/allura/templates/site_admin_add_subscribers.html
index 660e55f..3cffdee 100644
--- a/Allura/allura/templates/site_admin_add_subscribers.html
+++ b/Allura/allura/templates/site_admin_add_subscribers.html
@@ -33,5 +33,6 @@
<td><input type="submit" value="Save"></td>
</tr>
</table>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/site_admin_api_tickets.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/site_admin_api_tickets.html b/Allura/allura/templates/site_admin_api_tickets.html
index fbb6724..0dba2ea 100644
--- a/Allura/allura/templates/site_admin_api_tickets.html
+++ b/Allura/allura/templates/site_admin_api_tickets.html
@@ -39,6 +39,7 @@
<td><input type="submit" value="Save"><td>
</tr>
</table>
+{{lib.csrf_token()}}
</form>
<table>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/site_admin_new_projects.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/site_admin_new_projects.html b/Allura/allura/templates/site_admin_new_projects.html
index f6dc2f0..46cad9a 100644
--- a/Allura/allura/templates/site_admin_new_projects.html
+++ b/Allura/allura/templates/site_admin_new_projects.html
@@ -34,6 +34,7 @@
<label for="end-dt">To: </label><input type="text" name="end-dt" id="end-dt" value="{{ window_end.strftime('%Y/%m/%d %H:%M:%S') }}">
</div>
<div class="grid-3"><input type="submit" value="Filter"></div>
+ {{lib.csrf_token()}}
</form>
</div>
{{ _paging() }}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/site_admin_reclone_repo.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/site_admin_reclone_repo.html b/Allura/allura/templates/site_admin_reclone_repo.html
index f1b28b4..5aeadf2 100644
--- a/Allura/allura/templates/site_admin_reclone_repo.html
+++ b/Allura/allura/templates/site_admin_reclone_repo.html
@@ -36,5 +36,6 @@
<td><input type="submit" value="Reclone"></td>
</tr>
</table>
+ {{lib.csrf_token()}}
</form>
-{% endblock %}
\ No newline at end of file
+{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/site_admin_task_new.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/site_admin_task_new.html b/Allura/allura/templates/site_admin_task_new.html
index 2244e77..cf66620 100644
--- a/Allura/allura/templates/site_admin_task_new.html
+++ b/Allura/allura/templates/site_admin_task_new.html
@@ -103,6 +103,7 @@
<input type="submit" /><br/>
<pre class="doc"></pre>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/site_admin_task_view.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/site_admin_task_view.html b/Allura/allura/templates/site_admin_task_view.html
index e363b8d..6306885 100644
--- a/Allura/allura/templates/site_admin_task_view.html
+++ b/Allura/allura/templates/site_admin_task_view.html
@@ -79,6 +79,7 @@
{% if task.state in ['error', 'complete'] %}
<form id="resubmit-task-form" action="../resubmit/{{task._id}}" method="POST">
<input type="submit" value="Re-Submit Task" />
+ {{lib.csrf_token()}}
</form>
{% endif %}
<h2>Task Details</h2>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/user_prefs.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/user_prefs.html b/Allura/allura/templates/user_prefs.html
index 2efb388..3185747 100644
--- a/Allura/allura/templates/user_prefs.html
+++ b/Allura/allura/templates/user_prefs.html
@@ -116,6 +116,7 @@
<div class="grid-18">
{{lib.submit_button('Save Changes')}}
</div>
+ {{lib.csrf_token()}}
</form>
</div>
@@ -146,12 +147,14 @@
</p>
<form method="POST" action="del_api_token" class="grid-18">
<input type="submit" value="Delete API Token">
+ {{lib.csrf_token()}}
</form>
{% else %}
<p>No API token generated</p>
{% endif %}
<form method="POST" action="gen_api_token" class="grid-18">
<input type="submit" value="(Re)generate API Token">
+ {{lib.csrf_token()}}
</form>
</div>
{% endif %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/admin_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/admin_form.html b/Allura/allura/templates/widgets/admin_form.html
index f516d12..04e29b0 100644
--- a/Allura/allura/templates/widgets/admin_form.html
+++ b/Allura/allura/templates/widgets/admin_form.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="{{method}}"
{% if enctype %}enctype="{{enctype}}"{% endif %}
action="{{action}}">
@@ -42,4 +43,5 @@
{% endfor %}
<a href="#" class="close">Cancel</a>
</div>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/attachment_add.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/attachment_add.html b/Allura/allura/templates/widgets/attachment_add.html
index 51f4d5b..d1a2775 100644
--- a/Allura/allura/templates/widgets/attachment_add.html
+++ b/Allura/allura/templates/widgets/attachment_add.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="post"
action="{{action}}"
enctype="multipart/form-data">
@@ -24,4 +25,5 @@
<input type="file" class="text" name="{{name}}" multiple="True" id="{{name}}" style="margin-left:0"/><br/>
<input type="submit" value="Attach files"/>
</div>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/attachment_list.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/attachment_list.html b/Allura/allura/templates/widgets/attachment_list.html
index 09d8177..d26a35e 100644
--- a/Allura/allura/templates/widgets/attachment_list.html
+++ b/Allura/allura/templates/widgets/attachment_list.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<div>
{% if attachments %}
{% set attachments = attachments|list %}
@@ -31,6 +32,7 @@
<form method="post" action="{{att.url()}}">
<input type="hidden" name="delete" value="True"/>
<input type="submit" value="Delete File"/>
+ {{lib.csrf_token()}}
</form>
{% endif %}
</div>
@@ -48,6 +50,7 @@
<input type="submit" value="Delete File"/>
</span>
{% endif %}
+ {{lib.csrf_token()}}
</form>
</div>
{% endfor %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/edit_post.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/edit_post.html b/Allura/allura/templates/widgets/edit_post.html
index 38ad0b3..a42803e 100644
--- a/Allura/allura/templates/widgets/edit_post.html
+++ b/Allura/allura/templates/widgets/edit_post.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<div>
<form method="post" action="{{action}}"
enctype="multipart/form-data">
@@ -33,5 +34,6 @@
<input type="file" class="text attachment_form_fields" style="display:none" multiple="True" name="{{att_name}}" {% if att_id %}id="{{att_id}}"{% endif %}/>
{% if widget.antispam %}{% for fld in g.antispam.extra_fields() %}
{{fld}}{% endfor %}{% endif %}
+ {{lib.csrf_token()}}
</form>
</div>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/flag_post.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/flag_post.html b/Allura/allura/templates/widgets/flag_post.html
index b539e04..bb77fa6 100644
--- a/Allura/allura/templates/widgets/flag_post.html
+++ b/Allura/allura/templates/widgets/flag_post.html
@@ -16,7 +16,9 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="POST" action="{{action}}">
<input type="hidden" name="delete" value="True"/>
<a href="" title="Flag as inappropriate or spam" class="flag_post ico-l"><b data-icon="{{g.icons['flag'].char}}" class="ico {{g.icons['flag'].css}}"></b> <span>Flag</span></a>
-</form>
\ No newline at end of file
+ {{lib.csrf_token()}}
+</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/forge_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/forge_form.html b/Allura/allura/templates/widgets/forge_form.html
index de20c42..6ab41d4 100644
--- a/Allura/allura/templates/widgets/forge_form.html
+++ b/Allura/allura/templates/widgets/forge_form.html
@@ -54,5 +54,5 @@
{% endif %}
{% if widget.antispam %}{% for fld in g.antispam.extra_fields() %}
{{fld}}{% endfor %}{% endif %}
- {{lib.csrf_token()}}
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/moderate_post.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/moderate_post.html b/Allura/allura/templates/widgets/moderate_post.html
index 0487016..d111e23 100644
--- a/Allura/allura/templates/widgets/moderate_post.html
+++ b/Allura/allura/templates/widgets/moderate_post.html
@@ -16,20 +16,24 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="POST" action="{{action}}">
<input type="hidden" name="delete" value="True"/>
<a href="" class="moderate_post little_link"><span>Delete</span></a>
+ {{lib.csrf_token()}}
</form>
<br/>
{%if status == 'pending'%}
<form method="POST" class="moderate_approve" action="{{action}}">
<input type="hidden" name="approve" value="True"/>
<a href="" class="moderate_post little_link"><span>Approve</span></a>
+ {{lib.csrf_token()}}
</form>
<br/>
{%endif%}
<form method="POST" class="moderate_spam" action="{{action}}">
<input type="hidden" name="spam" value="True"/>
<a href="" class="moderate_post little_link"><span>Spam</span></a>
+ {{lib.csrf_token()}}
</form>
<br/>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/moderate_posts.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/moderate_posts.html b/Allura/allura/templates/widgets/moderate_posts.html
index 25294a3..e06fc12 100644
--- a/Allura/allura/templates/widgets/moderate_posts.html
+++ b/Allura/allura/templates/widgets/moderate_posts.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form {{widget.j2_attrs({'name':name, 'id':id, 'method':method, 'action':action, 'enctype':enctype})}}
{{attrs|default({}, true)|xmlattr}}>
<fieldset class="grid-19">
@@ -65,4 +66,5 @@
{% endfor %}
</tbody>
</table>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/neighborhood_add_project.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/neighborhood_add_project.html b/Allura/allura/templates/widgets/neighborhood_add_project.html
index 5a45019..002b8e4 100644
--- a/Allura/allura/templates/widgets/neighborhood_add_project.html
+++ b/Allura/allura/templates/widgets/neighborhood_add_project.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form action="{{action}}" method="POST">
<div class="welcome">
@@ -76,4 +77,5 @@
</div>
{% if widget.antispam %}{% for fld in g.antispam.extra_fields() %}
{{fld}}{% endfor %}{% endif %}
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/neighborhood_overview_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/neighborhood_overview_form.html b/Allura/allura/templates/widgets/neighborhood_overview_form.html
index 6b63d3b..c9d0f9d 100644
--- a/Allura/allura/templates/widgets/neighborhood_overview_form.html
+++ b/Allura/allura/templates/widgets/neighborhood_overview_form.html
@@ -58,4 +58,5 @@
</div>
<label class="grid-4"> </label>
<div class="grid-14"><input type="submit" value="Save"/></div>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/new_topic_post.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/new_topic_post.html b/Allura/allura/templates/widgets/new_topic_post.html
index 60e31a0..1c03b94 100644
--- a/Allura/allura/templates/widgets/new_topic_post.html
+++ b/Allura/allura/templates/widgets/new_topic_post.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="post" action="{{action}}">
{% if show_subject %}
<div class="grid-19"> </div>
@@ -46,4 +47,5 @@
</div>
{% if widget.antispam %}{% for fld in g.antispam.extra_fields() %}
{{fld}}{% endfor %}{% endif %}
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/page_size.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/page_size.html b/Allura/allura/templates/widgets/page_size.html
index baed90a..99fc3ac 100644
--- a/Allura/allura/templates/widgets/page_size.html
+++ b/Allura/allura/templates/widgets/page_size.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="get">
{% for k,v in widget.url_params.iteritems() %}
<input type="hidden" name="{{k}}" value="{{v}}"/>
@@ -34,4 +35,5 @@
{% endif %}
result{% if limit|int != 1 %}s{% endif %} of {{count}} </strong></p>
{% endif %}
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/post_widget.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/post_widget.html b/Allura/allura/templates/widgets/post_widget.html
index 2aebd44..f85fc4b 100644
--- a/Allura/allura/templates/widgets/post_widget.html
+++ b/Allura/allura/templates/widgets/post_widget.html
@@ -88,6 +88,7 @@
{% endif %}
{% endif %}
<input type="hidden" name="delete" value="True">
+ {{lib.csrf_token()}}
</form>
</div>
{% endfor %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/project_screenshots.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/project_screenshots.html b/Allura/allura/templates/widgets/project_screenshots.html
index 7d3d338..f1c5bca 100644
--- a/Allura/allura/templates/widgets/project_screenshots.html
+++ b/Allura/allura/templates/widgets/project_screenshots.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
{% set screenshots = project.get_screenshots() %}
{% if screenshots.__len__() > 1 %}
<p>Drag screenshots to sort.</p>
@@ -36,10 +37,12 @@
<input type="hidden" value="{{ss._id}}" name="id">
<input type="text" value="{{ss.caption}}" name="caption"><br>
<input type="submit" value="Save Changes">
+ {{lib.csrf_token()}}
</form>
<form action="delete_screenshot" method="post">
<input type="hidden" value="{{ss._id}}" name="id">
<input type="submit" value="Delete">
+ {{lib.csrf_token()}}
</form>
</div>
{% endif %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/search_results.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/search_results.html b/Allura/allura/templates/widgets/search_results.html
index 464dab4..74b9134 100644
--- a/Allura/allura/templates/widgets/search_results.html
+++ b/Allura/allura/templates/widgets/search_results.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="GET" action=".">
<div class="grid-10">
<input type="text" name="q" value="{{q}}" class="search-query" title="Search App"/>
@@ -52,6 +53,7 @@
<input id="search-history" type="checkbox" name="history"{% if history %} checked{% endif %}>
{% endif %}
</div>
+ {{lib.csrf_token()}}
</form>
<div style="clear:both"> </div>
{% if search_error %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/subscription_form.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/subscription_form.html b/Allura/allura/templates/widgets/subscription_form.html
index b138c58..45aed2a 100644
--- a/Allura/allura/templates/widgets/subscription_form.html
+++ b/Allura/allura/templates/widgets/subscription_form.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<div {{attrs|default({}, true)|xmlattr}} class="discussion_subscription_form">
<div class="clear"></div>
<div class="pagination_size">{{widget.fields['page_list'].display(limit=limit, page=page, count=count)}}</div>
@@ -26,6 +27,7 @@
<input type="submit" value="Update email subscriptions"/>
{% endif %}
</p>
+ {{lib.csrf_token()}}
</form>
{{widget.fields['page_list'].display(limit=limit, page=page, count=count)}}
{{widget.fields['page_size'].display(limit=limit, page=page, count=count)}}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/Allura/allura/templates/widgets/vote.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/widgets/vote.html b/Allura/allura/templates/widgets/vote.html
index 06f40d7..c5b5f97 100644
--- a/Allura/allura/templates/widgets/vote.html
+++ b/Allura/allura/templates/widgets/vote.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
{% set can_vote = c.user and c.user != c.user.anonymous()
and h.has_access(artifact, 'post')() %}
{% set voted = artifact.user_voted(c.user) %}
@@ -44,6 +45,7 @@
{% if can_vote %}
<form action="{{ action }}" method="POST">
{# csrf protection will be automatically inserted here (_session_id field) #}
+ {{lib.csrf_token()}}
</form>
{% endif %}
</div>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeBlog/forgeblog/templates/blog/admin_exfeed.html
----------------------------------------------------------------------
diff --git a/ForgeBlog/forgeblog/templates/blog/admin_exfeed.html b/ForgeBlog/forgeblog/templates/blog/admin_exfeed.html
index 9fc417a..e5d7a18 100644
--- a/ForgeBlog/forgeblog/templates/blog/admin_exfeed.html
+++ b/ForgeBlog/forgeblog/templates/blog/admin_exfeed.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="POST" action="{{c.project.url()}}admin/{{app.config.options.mount_point}}/set_exfeed">
<label class="grid-13">Existing external feeds:</label>
<div class="grid-13">
@@ -42,4 +43,5 @@
<input type="submit" value="Save"/>
</div>
{% endif %}
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeBlog/forgeblog/templates/blog/post_history.html
----------------------------------------------------------------------
diff --git a/ForgeBlog/forgeblog/templates/blog/post_history.html b/ForgeBlog/forgeblog/templates/blog/post_history.html
index fd1efbf..2fb74e8 100644
--- a/ForgeBlog/forgeblog/templates/blog/post_history.html
+++ b/ForgeBlog/forgeblog/templates/blog/post_history.html
@@ -51,5 +51,6 @@
{% endfor %}
</tbody>
</table>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html
----------------------------------------------------------------------
diff --git a/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html b/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html
index ecfc16c..66e3b4d 100644
--- a/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html
+++ b/ForgeBlog/forgeblog/templates/blog_widgets/post_form.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<div class="editbox">
<form method="{{method}}"
{% if enctype %}enctype="{{enctype}}"{% endif %}
@@ -50,5 +51,6 @@
</div>
{% if widget.antispam %}{% for fld in g.antispam.extra_fields() %}
{{fld}}{% endfor %}{% endif %}
+ {{lib.csrf_token()}}
</form>
</div>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html b/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html
index 626b2b3..b483c92 100644
--- a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html
+++ b/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum.html
@@ -48,6 +48,7 @@
<input type="button" id="add_forum_cancel" value="Cancel">
</div>
</div>
+ {{lib.csrf_token()}}
</form>
<script type="text/javascript">
function addLoadEvent(func) {
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html b/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html
index 701022c..273a00e 100644
--- a/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html
+++ b/ForgeDiscussion/forgediscussion/templates/discussion_widgets/add_forum_short.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="{{method}}" action="{{action}}" enctype="multipart/form-data" id="new_forum_form">
<input type="hidden" name="add_forum.app_id" value="{{app and app.config._id}}">
<div class="grid-6">
@@ -47,6 +48,7 @@
<input type="submit" id="new_forum.create" name="new_forum.create" value="Save">
<a id="add_forum_cancel" class="btn link">Cancel</a>
</div>
+ {{lib.csrf_token()}}
</form>
<script type="text/javascript">
{% for field in widget.fields %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html b/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
index 2284a5d..9b6b3e0 100644
--- a/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
+++ b/ForgeDiscussion/forgediscussion/templates/discussionforums/admin_forums.html
@@ -17,6 +17,7 @@
under the License.
-#}
{% extends g.theme.master %}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
{% block title %}{{c.project.name}} / {{app.config.options.mount_label}} / Admin Forums{% endblock %}
@@ -108,6 +109,7 @@
</tbody>
</table>
<div class="grid-19"><input type="button" id="add_forum" value="Add another forum"></div>
+ {{lib.csrf_token()}}
</form>
{{c.add_forum.display(method='POST',action='add_forum',app=app, value=c.add_forum)}}
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeDiscussion/forgediscussion/templates/discussionforums/stats_graph.html
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/templates/discussionforums/stats_graph.html b/ForgeDiscussion/forgediscussion/templates/discussionforums/stats_graph.html
index d702657..2d28448 100644
--- a/ForgeDiscussion/forgediscussion/templates/discussionforums/stats_graph.html
+++ b/ForgeDiscussion/forgediscussion/templates/discussionforums/stats_graph.html
@@ -17,6 +17,7 @@
under the License.
-#}
{% extends g.theme.master %}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
{% block title %}{{c.project.name}} / {{c.app.config.options.mount_label}} / Stats{% endblock %}
@@ -37,6 +38,7 @@
>{{forum.name}}</option>
{% endfor %}
</select>
+ {{lib.csrf_token()}}
</form>
<div id="stats-viz-container" class="project_stats">
@@ -100,4 +102,4 @@
});
});
</script>
-{% endblock %}
\ No newline at end of file
+{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeImporters/forgeimporters/templates/importer_base.html
----------------------------------------------------------------------
diff --git a/ForgeImporters/forgeimporters/templates/importer_base.html b/ForgeImporters/forgeimporters/templates/importer_base.html
index 16cbae2..b22aa3d 100644
--- a/ForgeImporters/forgeimporters/templates/importer_base.html
+++ b/ForgeImporters/forgeimporters/templates/importer_base.html
@@ -95,5 +95,6 @@
</div>
<input type="submit" value="Import"/>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeImporters/forgeimporters/templates/project_base.html
----------------------------------------------------------------------
diff --git a/ForgeImporters/forgeimporters/templates/project_base.html b/ForgeImporters/forgeimporters/templates/project_base.html
index d7863eb..d34c2d1 100644
--- a/ForgeImporters/forgeimporters/templates/project_base.html
+++ b/ForgeImporters/forgeimporters/templates/project_base.html
@@ -148,5 +148,6 @@
</div>
<input type="submit" value="Import"/>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeShortUrl/forgeshorturl/templates/form.html
----------------------------------------------------------------------
diff --git a/ForgeShortUrl/forgeshorturl/templates/form.html b/ForgeShortUrl/forgeshorturl/templates/form.html
index fa39b92..855563c 100644
--- a/ForgeShortUrl/forgeshorturl/templates/form.html
+++ b/ForgeShortUrl/forgeshorturl/templates/form.html
@@ -16,6 +16,8 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
+
{% set app = app or c.app %}
<div>
<h1 id="short-url-form-title" style="display:none"><span id="short-url-form-action-label">Add</span> Short URL</h1>
@@ -35,6 +37,7 @@
<div class="grid-13"><div class="grid-13"> </div>
<input type="submit" value="Save">
<a href="#" class="close">Cancel</a></div>
+ {{lib.csrf_token()}}
</form>
</div>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker/admin_fields.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker/admin_fields.html b/ForgeTracker/forgetracker/templates/tracker/admin_fields.html
index b16c8b5..7d6c343 100644
--- a/ForgeTracker/forgetracker/templates/tracker/admin_fields.html
+++ b/ForgeTracker/forgetracker/templates/tracker/admin_fields.html
@@ -44,6 +44,7 @@
{%endfor%}
<tr><td><input type="submit" value="Save"></td><td></td></tr>
</table>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker/bin.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker/bin.html b/ForgeTracker/forgetracker/templates/tracker/bin.html
index 42121b7..4badd12 100644
--- a/ForgeTracker/forgetracker/templates/tracker/bin.html
+++ b/ForgeTracker/forgetracker/templates/tracker/bin.html
@@ -86,6 +86,7 @@
<a href="#" class="btn link cancel_edit">Cancel</a>
{% endif %}
</div>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker/milestones.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker/milestones.html b/ForgeTracker/forgetracker/templates/tracker/milestones.html
index e04eb91..7e4a670 100644
--- a/ForgeTracker/forgetracker/templates/tracker/milestones.html
+++ b/ForgeTracker/forgetracker/templates/tracker/milestones.html
@@ -98,6 +98,7 @@
<input type="submit" value="Save">
<a href="#" class="btn link cancel_edit">Cancel</a>
</div>
+ {{lib.csrf_token()}}
</form>
{% endblock %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker/search.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker/search.html b/ForgeTracker/forgetracker/templates/tracker/search.html
index c355f47..a690830 100644
--- a/ForgeTracker/forgetracker/templates/tracker/search.html
+++ b/ForgeTracker/forgetracker/templates/tracker/search.html
@@ -74,6 +74,7 @@
<input type="button" value="Update Search" id="save_search"/>
{% endif %}
<input type="submit" value="Search"/>
+ {{lib.csrf_token()}}
</form>
<a href="{{tg.url(c.app.url + 'search_help/')}}" target="_blank" class="btn search_help_modal"><b data-icon="{{g.icons['help'].char}}" class="ico {{g.icons['help'].css}}"></b> Help</a>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker_widgets/bin_form.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/bin_form.html b/ForgeTracker/forgetracker/templates/tracker_widgets/bin_form.html
index c6f6069..c269a37 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/bin_form.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/bin_form.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="post" action="{{action}}">
{% for field in hidden_fields -%}
{% set ctx=widget.context_for(field) -%}
@@ -33,4 +34,5 @@
<input type="submit" value="Save"/>
<input type="button" value="Cancel" id="cancel_new_bin"/>
</div>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker_widgets/mass_edit_form.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/mass_edit_form.html b/ForgeTracker/forgetracker/templates/tracker_widgets/mass_edit_form.html
index 666c325..bfeaf15 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/mass_edit_form.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/mass_edit_form.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form id="update-values" method="post" action="../update_tickets">
{% for field in globals.custom_fields %}
{% if field.name == '_milestone' %}
@@ -108,4 +109,5 @@
</div>
<div class="grid-12" id="result"></div>
<input name="__search" type="hidden" value="" id="id_search" />
-</form>
\ No newline at end of file
+ {{lib.csrf_token()}}
+</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
index c298e02..2483917 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/options_admin.html
@@ -16,6 +16,7 @@
specific language governing permissions and limitations
under the License.
-#}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<form method="{{method}}"
{% if enctype %}enctype="{{enctype}}"{% endif %}
action="{{action}}">
@@ -44,4 +45,5 @@
{% endfor %}
<a href="#" onclick="window.history.back(); return false;" class="close">Cancel</a>
</div>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_form.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_form.html b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_form.html
index 8676159..93f5fcc 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_form.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_form.html
@@ -127,4 +127,5 @@
{{widget.display_field_by_name('submit')|safe}}
<a href="{{c.app.url}}" class="btn link cancel_form">Cancel</a>
</div>
+ {{lib.csrf_token()}}
</form>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
index 2c5bb6c..91ee78a 100644
--- a/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
+++ b/ForgeTracker/forgetracker/templates/tracker_widgets/ticket_search_results.html
@@ -17,6 +17,7 @@
under the License.
-#}
{% from 'allura:templates/jinja_master/lib.html' import abbr_date with context %}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
<div id="ticket_search_results_holder" style="clear:both">
{% if solr_error %}<p>{{solr_error}}</p>{% endif %}
{{widget.fields['page_size'].display(page=page, count=count, limit=limit)}}
@@ -103,6 +104,7 @@
{% if h.has_access(c.app, 'configure') %}
<a href="{{c.project.url()}}admin/{{c.app.config.options.mount_point}}/fields">Change field settings permanently.</a>
{% endif %}
+ {{lib.csrf_token()}}
</form>
{{widget.fields['lightbox'].display()}}
{% endif %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/d778f65a/ForgeWiki/forgewiki/templates/wiki/page_edit.html
----------------------------------------------------------------------
diff --git a/ForgeWiki/forgewiki/templates/wiki/page_edit.html b/ForgeWiki/forgewiki/templates/wiki/page_edit.html
index 1944f54..534527e 100644
--- a/ForgeWiki/forgewiki/templates/wiki/page_edit.html
+++ b/ForgeWiki/forgewiki/templates/wiki/page_edit.html
@@ -17,6 +17,7 @@
under the License.
-#}
{% extends 'forgewiki:templates/wiki/master.html' %}
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
{% block title %}{{c.project.name}} / {{c.app.config.options.mount_label}} / {{page.title}}{% endblock %}
@@ -57,6 +58,7 @@
<input type="submit" value="Save">
<input type="reset" value="Cancel">
</div>
+ {{lib.csrf_token()}}
</form>
<div class="grid-19">
{{c.attachment_list.display(attachments=page.attachments, edit_mode=page_exists and h.has_access(page, 'edit')())}}
[2/9] git commit: [#5475] ticket:473 Removed useless csrf tokens from
oauth forms
Posted by tv...@apache.org.
[#5475] ticket:473 Removed useless csrf tokens from oauth forms
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/5042b1d6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/5042b1d6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/5042b1d6
Branch: refs/heads/tv/6941
Commit: 5042b1d60bb4bb321a18907057ae3915715085e3
Parents: d778f65
Author: Andrej Aleksandrov <pi...@gmail.com>
Authored: Fri Nov 8 16:49:56 2013 +0200
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Dec 4 15:35:11 2013 +0000
----------------------------------------------------------------------
Allura/allura/templates/oauth_applications.html | 3 ---
Allura/allura/templates/oauth_authorize.html | 1 -
2 files changed, 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/5042b1d6/Allura/allura/templates/oauth_applications.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/oauth_applications.html b/Allura/allura/templates/oauth_applications.html
index 3742662..6bc90a3 100644
--- a/Allura/allura/templates/oauth_applications.html
+++ b/Allura/allura/templates/oauth_applications.html
@@ -105,7 +105,6 @@
<form method="POST" action="revoke_access_token" class="revoke_access_token">
<input type="hidden" name="_id" value="{{access_token._id}}"/>
<input type="submit" value="Revoke"/>
- {{lib.csrf_token()}}
</form>
</td>
</tr>
@@ -132,12 +131,10 @@
<form method="POST" action="deregister" class="deregister_consumer_token">
<input type="hidden" name="_id" value="{{consumer_token._id}}"/>
<input type="submit" value="Deregister"/>
- {{lib.csrf_token()}}
</form>
<form method="POST" action="generate_access_token" class="generate_access_token">
<input type="hidden" name="_id" value="{{consumer_token._id}}"/>
<input type="submit" value="Generate Bearer Token"/>
- {{lib.csrf_token()}}
</form>
</td>
</tr>
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/5042b1d6/Allura/allura/templates/oauth_authorize.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/oauth_authorize.html b/Allura/allura/templates/oauth_authorize.html
index 7177442..0aa0437 100644
--- a/Allura/allura/templates/oauth_authorize.html
+++ b/Allura/allura/templates/oauth_authorize.html
@@ -38,7 +38,6 @@
<input type="hidden" name="oauth_token" value="{{oauth_token}}"/>
<input type="submit" name="no" value="No, do not authorize {{ consumer.name }}">
<input type="submit" name="yes" value="Yes, authorize {{ consumer.name }}"><br>
- {{lib.csrf_token()}}
</form>
<br style="clear:both"/>
<h2>{{consumer.name}}</h2>
[7/9] git commit: [#6941] Create activity events for commits
Posted by tv...@apache.org.
[#6941] Create activity events for commits
Signed-off-by: Tim Van Steenburgh <tv...@gmail.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/1edeb4ad
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/1edeb4ad
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/1edeb4ad
Branch: refs/heads/tv/6941
Commit: 1edeb4ad6c89b3d8024b5dc77a4c3f32bf4a5037
Parents: 6426ead
Author: Tim Van Steenburgh <tv...@gmail.com>
Authored: Wed Dec 4 00:59:20 2013 +0000
Committer: Tim Van Steenburgh <tv...@gmail.com>
Committed: Thu Dec 5 21:03:28 2013 +0000
----------------------------------------------------------------------
Allura/allura/model/repo.py | 13 ++++++++++++-
Allura/allura/model/repo_refresh.py | 2 ++
2 files changed, 14 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/1edeb4ad/Allura/allura/model/repo.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/repo.py b/Allura/allura/model/repo.py
index 3b4feca..1ff6641 100644
--- a/Allura/allura/model/repo.py
+++ b/Allura/allura/model/repo.py
@@ -41,6 +41,7 @@ from allura.lib import helpers as h
from .auth import User
from .session import main_doc_session, project_doc_session
from .session import repository_orm_session
+from .timeline import ActivityObject
log = logging.getLogger(__name__)
@@ -164,11 +165,21 @@ class RepoObject(object):
r = cls.query.get(_id=id)
return r, isnew
-class Commit(RepoObject):
+class Commit(RepoObject, ActivityObject):
type_s = 'Commit'
# Ephemeral attrs
repo=None
+ @property
+ def activity_name(self):
+ return self.shorthand_id()
+
+ def has_activity_access(self, perm, user):
+ """Commits have no ACLs and are therefore always viewable by any user.
+
+ """
+ return True
+
def set_context(self, repo):
self.repo = repo
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/1edeb4ad/Allura/allura/model/repo_refresh.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/repo_refresh.py b/Allura/allura/model/repo_refresh.py
index 52855b5..2a8af51 100644
--- a/Allura/allura/model/repo_refresh.py
+++ b/Allura/allura/model/repo_refresh.py
@@ -137,6 +137,8 @@ def refresh_repo(repo, all_commits=False, notify=True, new_clone=False):
user = User.by_username(new.committed.name)
if user is not None:
g.statsUpdater.newCommit(new, repo.app_config.project, user)
+ g.director.create_activity(user, 'committed', new,
+ related_nodes=[repo.app_config.project])
log.info('Refresh complete for %s', repo.full_fs_path)
g.post_event('repo_refreshed', len(commit_ids), all_commits, new_clone)