You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by tv...@apache.org on 2014/01/21 23:09:20 UTC

[05/22] git commit: [#7026] Require POST for follow/unfollow actions

[#7026] Require POST for follow/unfollow actions

Signed-off-by: Cory Johns <cj...@slashdotmedia.com>


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/05f5804e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/05f5804e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/05f5804e

Branch: refs/heads/tv/6393
Commit: 05f5804e53d1ed8147282a6bf2a4049e4d614870
Parents: 84309dd
Author: Cory Johns <cj...@slashdotmedia.com>
Authored: Wed Jan 15 19:38:54 2014 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Wed Jan 15 20:06:55 2014 +0000

----------------------------------------------------------------------
 Allura/allura/templates/jinja_master/lib.html             |  8 +++++++-
 ForgeActivity/forgeactivity/main.py                       |  2 ++
 ForgeActivity/forgeactivity/templates/widgets/follow.html |  3 ++-
 ForgeActivity/forgeactivity/tests/functional/test_root.py |  4 ++--
 .../forgeactivity/widgets/resources/js/follow.js          | 10 ++++++----
 5 files changed, 19 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/Allura/allura/templates/jinja_master/lib.html
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/jinja_master/lib.html b/Allura/allura/templates/jinja_master/lib.html
index 4162368..f83e23c 100644
--- a/Allura/allura/templates/jinja_master/lib.html
+++ b/Allura/allura/templates/jinja_master/lib.html
@@ -17,9 +17,15 @@
        under the License.
 -#}
 
+{% macro csrf() -%}
+  {% if request -%}
+    {{request.cookies['_session_id']}}
+  {%- endif %}
+{%- endmacro %}
+
 {% macro csrf_token() -%}
   {% if request %}
-    <input name="_session_id" type="hidden" value="{{request.cookies['_session_id']}}">
+    <input name="_session_id" type="hidden" value="{{csrf()}}">
   {% endif %}
 {%- endmacro %}
 

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/ForgeActivity/forgeactivity/main.py
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/main.py b/ForgeActivity/forgeactivity/main.py
index 9188b66..a1bb21d 100644
--- a/ForgeActivity/forgeactivity/main.py
+++ b/ForgeActivity/forgeactivity/main.py
@@ -31,6 +31,7 @@ from allura.controllers import BaseController
 from allura.lib.security import require_authenticated
 from allura.model.timeline import perm_check
 from allura.lib import helpers as h
+from allura.lib.decorators import require_post
 
 from .widgets.follow import FollowToggle
 
@@ -138,6 +139,7 @@ class ForgeActivityController(BaseController):
                 author_link=h.absurl(t.actor.activity_url))
         return feed.writeString('utf-8')
 
+    @require_post()
     @expose('json:')
     @validate(W.follow_toggle)
     def follow(self, follow, **kw):

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/ForgeActivity/forgeactivity/templates/widgets/follow.html
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/templates/widgets/follow.html b/ForgeActivity/forgeactivity/templates/widgets/follow.html
index 78ae48f..34387e2 100644
--- a/ForgeActivity/forgeactivity/templates/widgets/follow.html
+++ b/ForgeActivity/forgeactivity/templates/widgets/follow.html
@@ -16,7 +16,8 @@
        specific language governing permissions and limitations
        under the License.
 -#}
-<a  href="{{action}}?follow={{not following}}"
+{% import 'allura:templates/jinja_master/lib.html' as lib with context %}
+<a  href="{{action}}" data-following="{{following|lower}}" data-csrf="{{lib.csrf()}}"
     class="artifact_follow{{ ' active' if following }}"
     title="{{'Stop %sing' % action_label if following else action_label|capitalize}} {{thing}}"><b
         data-icon="{{g.icons[icon].char}}" class="ico {{g.icons[icon].css}}"

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/ForgeActivity/forgeactivity/tests/functional/test_root.py
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/tests/functional/test_root.py b/ForgeActivity/forgeactivity/tests/functional/test_root.py
index c308112..6ac88d9 100644
--- a/ForgeActivity/forgeactivity/tests/functional/test_root.py
+++ b/ForgeActivity/forgeactivity/tests/functional/test_root.py
@@ -123,7 +123,7 @@ class TestActivityController(TestController):
     @td.with_tool('u/test-user-1', 'activity')
     @td.with_user_project('test-user-1')
     def test_follow_user(self):
-        resp = self.app.get('/u/test-user-1/activity/follow?follow=True')
+        resp = self.app.post('/u/test-user-1/activity/follow', {'follow': 'True'})
         assert 'You are now following Test User 1' in resp, resp
 
     @td.with_tool('u/test-admin', 'activity')
@@ -156,7 +156,7 @@ class TestActivityController(TestController):
     @td.with_tool('u/test-user-1', 'activity')
     @td.with_user_project('test-user-1')
     def test_background_aggregation(self):
-        self.app.get('/u/test-admin/activity/follow?follow=True',
+        self.app.post('/u/test-admin/activity/follow', {'follow':'true'},
                      extra_environ=dict(username='test-user-1'))
         # new ticket, creates activity
         d = {'ticket_form.summary': 'New Ticket'}

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/05f5804e/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
----------------------------------------------------------------------
diff --git a/ForgeActivity/forgeactivity/widgets/resources/js/follow.js b/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
index 0739963..b7d2679 100644
--- a/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
+++ b/ForgeActivity/forgeactivity/widgets/resources/js/follow.js
@@ -33,16 +33,18 @@ $(document).ready(function() {
     $('.artifact_follow').click(function(e) {
         e.preventDefault();
         var $link = $(this);
-        $.get(this.href, function(result) {
+        var data = {
+            '_session_id': $link.data('csrf'),
+            'follow': ! $link.data('following')
+        };
+        $.post(this.href, data, function(result) {
             flash(result.message, result.success ? 'success' : 'error');
-            console.log(result.following);
+            $link.data('following', result.following);
             if (result.following && !$link.hasClass('active')) {
-                $link.attr('href', $link.attr('href').replace(/True$/i, 'False'));
                 $link.addClass('active');
                 title_stop_following($link);
                 title_stop_following($link.find('b'));
             } else if (!result.following && $link.hasClass('active')) {
-                $link.attr('href', $link.attr('href').replace(/False$/i, 'True'));
                 $link.removeClass('active');
                 title_start_following($link);
                 title_start_following($link.find('b'));