Added csrf token to login
This commit is contained in:
parent
24b3d40fb6
commit
f2948c74ff
3 changed files with 24 additions and 2 deletions
|
|
@ -3,7 +3,7 @@
|
|||
from paramecio2.libraries.db import corefields
|
||||
from paramecio2.libraries.db.coreforms import PasswordForm
|
||||
from paramecio2.libraries.i18n import I18n
|
||||
from flask import session
|
||||
from flask import session, request, abort
|
||||
from paramecio2.libraries.keyutils import create_key_encrypt
|
||||
|
||||
# Need unittest
|
||||
|
|
@ -210,3 +210,11 @@ def generate_csrf():
|
|||
|
||||
return session['csrf_token']
|
||||
|
||||
def check_csrf(name_csrf_token='csrf_token'):
|
||||
|
||||
csrf_token=session.get('csrf_token', '')
|
||||
|
||||
if csrf_token=='' or csrf_token!=request.form.get(name_csrf_token):
|
||||
abort(404)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import copy
|
|||
from os import path
|
||||
from paramecio2.modules.admin import admin_app, t
|
||||
from paramecio2.libraries.sendmail import SendMail
|
||||
from paramecio2.libraries.formsutils import check_csrf
|
||||
|
||||
yes_recovery_login=False
|
||||
email_address='localhost'
|
||||
|
|
@ -66,6 +67,12 @@ def admin_prepare():
|
|||
|
||||
return redirect(url_redirect)
|
||||
|
||||
|
||||
"""
|
||||
if request.method=='POST':
|
||||
check_csrf()
|
||||
"""
|
||||
|
||||
@admin_app.after_request
|
||||
def admin_finished(response):
|
||||
|
||||
|
|
@ -187,6 +194,8 @@ def login():
|
|||
|
||||
if request.method=='POST':
|
||||
|
||||
check_csrf()
|
||||
|
||||
username=request.form['username']
|
||||
|
||||
password=request.form['password']
|
||||
|
|
@ -279,6 +288,8 @@ def signup():
|
|||
|
||||
if request.method=='POST':
|
||||
|
||||
check_csrf()
|
||||
|
||||
user_admin.conditions=['WHERE privileges=%s', [2]]
|
||||
|
||||
forms=dict(request.form)
|
||||
|
|
@ -337,6 +348,8 @@ def auth_check():
|
|||
|
||||
error=1
|
||||
|
||||
check_csrf()
|
||||
|
||||
if 'login_admin' in session:
|
||||
|
||||
code=request.form.get('code', '')
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@
|
|||
<div class="form">
|
||||
<p align="center">${lang('admin', 'check_your_email', 'Check your email for get instructions for complete login with double auth or')} <a href="${url_for('.logout')}">logout</a> and login again with other user</p>
|
||||
<p><label>${lang('admin', 'code', 'Code')} *</label><input type="text" class="" name="code" id="code_form" value="" /> <span class="error" id="code_error"></span></p>
|
||||
${csrf_token()|n}
|
||||
</div>
|
||||
<div id="submit_block">
|
||||
<input type="submit" value="${lang('common', 'send_code', 'Send code')}" class="submit" id="code_submit"/>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue