Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #1331 (closed enhancement: fixed)

Opened 12 years ago

Last modified 12 years ago

CSRF protection in twForms

Reported by: __pv Owned by: alberto
Priority: normal Milestone: 2.0
Component: ToscaWidgets Version: 1.0
Severity: normal Keywords:
Cc:

Description

It would be nice if ToscaWidgets? forms had a form token for CSRF protection, out of the box. This probably requires the availability of a session object, so it probably cannot be decoupled fully from the framework. Maybe something like the attached could work.

Attachments

tw_csrf.py Download (4.2 KB) - added by __pv 12 years ago.
Example of a way for implementing CSRF protection
tw_csrf.patch Download (6.5 KB) - added by __pv 12 years ago.
Attached a more formal patch against twForms svn r2755.
tw_hidden_field_errors.patch Download (2.9 KB) - added by __pv 12 years ago.
Show errors in hidden fields

Change History

Changed 12 years ago by __pv

Example of a way for implementing CSRF protection

comment:1 Changed 12 years ago by alberto

  • Status changed from new to assigned

Hi,

This is something I planned to implement someday so many thanks for getting ahead of me :)

From skimming the patch I just see one issue:

Usually it's the Form (or FieldSet?) that displays its fields' errors, not the fields themselves. You mind of I tweak the patch to take this into account and use testutil.WidgetTestCase? to normalize the test?

Thanks :)

Alberto

comment:2 Changed 12 years ago by __pv

Hi,

I forgot about that error message hack that I added to overcome the fact that forms did not display errors for hidden fields. If this is changed, then there's no need to override the template in SecureTicketField?. And sure, if something like this is integrated in TW, it should use TW's test system.

Changed 12 years ago by __pv

Attached a more formal patch against twForms svn r2755.

Changed 12 years ago by __pv

Show errors in hidden fields

comment:3 Changed 12 years ago by alberto

  • Status changed from assigned to closed
  • Resolution set to fixed

Applied both patches at [2783] with slight changes:

  • SecureFormMixin? does initialization at post_init instead of __init___. That use is exactly what post_init is designed for. Now SecureFormMixin? can be used as a mixin without needing to call both superclasses' init when subclassing. Code at post_init is always run, after all init's have been called but before locking the widget. I had to change the token at the tests to account for the new position the hidden field is placed at.
  • Modified get_form_info to use Widget.walk to walk the widget tree.

Thanks for the patches! :)

Alberto

Note: See TracTickets for help on using tickets.