You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by tv...@apache.org on 2014/01/21 23:09:20 UTC
[05/22] git commit: [#7026] Require POST for follow/unfollow actions
[#7026] Require POST for follow/unfollow actions
Signed-off-by: Cory Johns <cj...@slashdotmedia.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/05f5804e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/05f5804e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/05f5804e
Branch: refs/heads/tv/6393
Commit: 05f5804e53d1ed8147282a6bf2a4049e4d614870
Parents: 84309dd
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Wed Jan 15 19:38:54 2014 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Jan 15 20:06:55 2014 +0000
----------------------------------------------------------------------
Allura/allura/templates/jinja_master/lib.html | 8 +++++++-
ForgeActivity/forgeactivity/main.py | 2 ++
ForgeActivity/forgeactivity/templates/widgets/follow.html | 3 ++-
ForgeActivity/forgeactivity/tests/functional/test_root.py | 4 ++--
.../forgeactivity/widgets/resources/js/follow.js | 10 ++++++----
5 files changed, 19 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/Allura/allura/templates/jinja_master/lib.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/jinja_master/lib.html b/Allura/allura/templates/jinja_master/lib.html
index 4162368..f83e23c 100644
--- a/Allura/allura/templates/jinja_master/lib.html
+++ b/Allura/allura/templates/jinja_master/lib.html
@@ -17,9 +17,15 @@
under the License.
-#}
+{% macro csrf() -%}
+ {% if request -%}
+ {{request.cookies['_session_id']}}
+ {%- endif %}
+{%- endmacro %}
+
{% macro csrf_token() -%}
{% if request %}
- <input name="_session_id" type="hidden" value="{{request.cookies['_session_id']}}">
+ <input name="_session_id" type="hidden" value="{{csrf()}}">
{% endif %}
{%- endmacro %}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/ForgeActivity/forgeactivity/main.py
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/main.py b/ForgeActivity/forgeactivity/main.py
index 9188b66..a1bb21d 100644
--- a/ForgeActivity/forgeactivity/main.py
+++ b/ForgeActivity/forgeactivity/main.py
@@ -31,6 +31,7 @@ from allura.controllers import BaseController
from allura.lib.security import require_authenticated
from allura.model.timeline import perm_check
from allura.lib import helpers as h
+from allura.lib.decorators import require_post
from .widgets.follow import FollowToggle
@@ -138,6 +139,7 @@ class ForgeActivityController(BaseController):
author_link=h.absurl(t.actor.activity_url))
return feed.writeString('utf-8')
+ @require_post()
@expose('json:')
@validate(W.follow_toggle)
def follow(self, follow, **kw):
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/ForgeActivity/forgeactivity/templates/widgets/follow.html
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/templates/widgets/follow.html b/ForgeActivity/forgeactivity/templates/widgets/follow.html
index 78ae48f..34387e2 100644
--- a/ForgeActivity/forgeactivity/templates/widgets/follow.html
+++ b/ForgeActivity/forgeactivity/templates/widgets/follow.html
@@ -16,7 +16,8 @@
specific language governing permissions and limitations
under the License.
-#}
-<a href="{{action}}?follow={{not following}}"
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
+<a href="{{action}}" data-following="{{following|lower}}" data-csrf="{{lib.csrf()}}"
class="artifact_follow{{ ' active' if following }}"
title="{{'Stop %sing' % action_label if following else action_label|capitalize}} {{thing}}"><b
data-icon="{{g.icons[icon].char}}" class="ico {{g.icons[icon].css}}"
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/ForgeActivity/forgeactivity/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/tests/functional/test_root.py b/ForgeActivity/forgeactivity/tests/functional/test_root.py
index c308112..6ac88d9 100644
--- a/ForgeActivity/forgeactivity/tests/functional/test_root.py
+++ b/ForgeActivity/forgeactivity/tests/functional/test_root.py
@@ -123,7 +123,7 @@ class TestActivityController(TestController):
@td.with_tool('u/test-user-1', 'activity')
@td.with_user_project('test-user-1')
def test_follow_user(self):
- resp = self.app.get('/u/test-user-1/activity/follow?follow=True')
+ resp = self.app.post('/u/test-user-1/activity/follow', {'follow': 'True'})
assert 'You are now following Test User 1' in resp, resp
@td.with_tool('u/test-admin', 'activity')
@@ -156,7 +156,7 @@ class TestActivityController(TestController):
@td.with_tool('u/test-user-1', 'activity')
@td.with_user_project('test-user-1')
def test_background_aggregation(self):
- self.app.get('/u/test-admin/activity/follow?follow=True',
+ self.app.post('/u/test-admin/activity/follow', {'follow':'true'},
extra_environ=dict(username='test-user-1'))
# new ticket, creates activity
d = {'ticket_form.summary': 'New Ticket'}
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/widgets/resources/js/follow.js b/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
index 0739963..b7d2679 100644
--- a/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
+++ b/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
@@ -33,16 +33,18 @@ $(document).ready(function() {
$('.artifact_follow').click(function(e) {
e.preventDefault();
var $link = $(this);
- $.get(this.href, function(result) {
+ var data = {
+ '_session_id': $link.data('csrf'),
+ 'follow': ! $link.data('following')
+ };
+ $.post(this.href, data, function(result) {
flash(result.message, result.success ? 'success' : 'error');
- console.log(result.following);
+ $link.data('following', result.following);
if (result.following && !$link.hasClass('active')) {
- $link.attr('href', $link.attr('href').replace(/True$/i, 'False'));
$link.addClass('active');
title_stop_following($link);
title_stop_following($link.find('b'));
} else if (!result.following && $link.hasClass('active')) {
- $link.attr('href', $link.attr('href').replace(/False$/i, 'True'));
$link.removeClass('active');
title_start_following($link);
title_start_following($link.find('b'));