You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@allura.apache.org by Igor Bondarenko <je...@users.sf.net> on 2013/11/01 09:23:17 UTC
[allura:tickets] #5475 Move CSRF token insertion from JS to easywidgets
- **status**: open --> in-progress
---
** [tickets:#5475] Move CSRF token insertion from JS to easywidgets**
**Status:** in-progress
**Labels:** p3 support 42cc
**Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen
**Last Updated:** Thu Oct 31, 2013 07:37 PM UTC
**Owner:** nobody
Standard forms across on Allura have a `_session_id` field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection.
For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The `ForgeForm` class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that.
AJAX forms can stay as-is, they use JS already anyway.
---
Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.