Merge bc049eedec into 662e09eccf

resources/templates/csrf_error.tmpl

@@ -0,0 +1,16 @@
+## -*- coding: utf-8 -*-
+<%inherit file="base.tmpl"/>
+<%block name="core">
+    <div class="row clearfix" style="margin-top:30px">
+        <div class="col-md-4 column"></div>
+        <div class="col-md-4 column well">
+        <div class="alert alert-dismissable alert-danger">
+            <h4>Your request was denied for security reasons.</h4>
+            <p>This may happen from time to time if you don't actively use the tab or if you clear cookies.</p>
+            <p>Try to refresh the page and contact an administrator if the problem persists.</p>
+        </div>
+        <a class="btn btn-default blue" href='/'><span class="glyphicon glyphicon-home"></span> Return</a>
+        </div>
+        <div class="col-md-4 column"></div>
+    </div>
+</%block>

resources/templates/csrf_field.tmpl

@@ -0,0 +1,3 @@
+## -*- coding: utf-8 -*-
+<%! from ldapcherry.csrf import get_csrf_token, CSRF_INPUT_NAME %>
+<input type="hidden" name="${CSRF_INPUT_NAME}" value="${get_csrf_token()}"/>

resources/templates/form.tmpl

@@ -1,5 +1,6 @@
 ## -*- coding: utf-8 -*-
-<% 
+<%
+from ldapcherry.csrf import get_csrf_field
 from markupsafe import Markup
 len_attr = len(attributes)
 switch = len_attr / 2
@@ -16,11 +17,11 @@ for a in sorted(attributes.keys(), key=lambda attr: attributes[attr]['weight']):
     counter = counter + 1
 %>
 <%def name="form_col(l)">
-% for a in l: 
+% for a in l:
 <% attr = attributes[a] %>
 <div class="form-group">
 <div class="input-group">
-  <% 
+  <%
     if modify:
         required = ''
     else:
@@ -84,6 +85,8 @@ ${form_col(lc1)}
 ${form_col(lc2)}
 </div>
 </div>
+<%include file="csrf_field.tmpl"/>
+
 % if autofill:
 <%
 attr_set = []

resources/templates/login.tmpl

@@ -11,24 +11,25 @@
                 action='login'
 % endif
             >
-              <div class="form-group">
-              <h2 class="form-signin-heading">Please sign in</h2>
-                <div class="input-group">
-                    <span class="input-group-addon glyphicon glyphicon-user"></span>
-                    <input type="text" class="form-control" name="login" placeholder="Login" required autofocus>
+                <div class="form-group">
+                    <h2 class="form-signin-heading">Please sign in</h2>
+                    <div class="input-group">
+                        <span class="input-group-addon glyphicon glyphicon-user"></span>
+                        <input type="text" class="form-control" name="login" placeholder="Login" required autofocus>
+                    </div>
                 </div>
-              </div>
-              <div class="form-group">
-                <div class="input-group">
-                    <span class="input-group-addon glyphicon glyphicon-lock"></span>
-                    <input type="password" class="form-control" name="password" placeholder="Password" required>
+                <div class="form-group">
+                    <div class="input-group">
+                        <span class="input-group-addon glyphicon glyphicon-lock"></span>
+                        <input type="password" class="form-control" name="password" placeholder="Password" required>
+                    </div>
                 </div>
-              </div>
-              <div class="form-group">
-                <div class="input-group">
-                  <button class="btn btn-default blue" type="submit"><span class="glyphicon glyphicon-off"></span> Sign in</button>
+                <div class="form-group">
+                    <div class="input-group">
+                        <%include file="csrf_field.tmpl"/>
+                        <button class="btn btn-default blue" type="submit"><span class="glyphicon glyphicon-off"></span> Sign in</button>
+                    </div>
                 </div>
-              </div>
             </form>
         </div>
         <div class="col-md-4 column"></div>

resources/templates/searchadmin.tmpl

@@ -1,6 +1,7 @@
 ## -*- coding: utf-8 -*-
 <%inherit file="navbar.tmpl"/>
 <%block name="core">
+    <% from ldapcherry.csrf import get_csrf_token %>
     <div class="row clearfix">
         <div class="col-md-12 column">
             <form method='get' action='/searchadmin' role="form" class="form-inline" data-toggle="validator">
@@ -42,8 +43,8 @@
                             %for attr in sorted(attrs_list.keys(), key=lambda attr: attrs_list[attr]['weight']):
                                 <td>
                                     % if attr in searchresult[user]:
-                                        <% 
-                                        value = searchresult[user][attr] 
+                                        <%
+                                        value = searchresult[user][attr]
                                         if type(value) is list:
                                             value = ', '.join(value)
                                         %>
@@ -55,7 +56,12 @@
                                     <a href="/modify?user=${user | n,u}" class="btn btn-xs blue pad" ><span class="glyphicon glyphicon-cog"></span> Modify</a>
                                 </td>
                                 <td>
-                                    <a href="/delete?user=${user | n,u}" data-toggle='confirmation-delete' class="btn btn-xs red pad"><span class="glyphicon glyphicon-remove-sign"></span> Delete</a>
+                                    <form action="/delete?user=${user | n,u}" method='POST'>
+                                        <%include file="csrf_field.tmpl"/>
+                                        <button class="btn btn-xs red pad" type="submit" data-toggle='confirmation-delete'>
+                                            <span class="glyphicon glyphicon-remove-sign"></span> Delete
+                                        </button>
+                                    </form>
                                 </td>
                             </tr>
                             % endfor