Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #547 (closed task: wontfix)

Opened 13 years ago

Last modified 9 years ago

SecureForm widget

Reported by: alberto Owned by: alberto
Priority: normal Milestone: 1.0.x bugfix
Component: TG Widgets Version:
Severity: normal Keywords: csrf security form


I've just happened to lurk at django's trac and found this interesting  link.

I'm thinking that it shouldn't be too hard to implement a SecureForm? widget which automatically inserts a hidden field with a hash + a validator to check it. All done tranparently to the user.

This is just a quick thought... today it's thursday night and in Lavapies (Madrid) you can already smell some hash burning in the street... maybe I got affected XD


Change History

comment:1 Changed 13 years ago by kevin

We could probably make this an option on the existing form class. Just use the time mechanism and build it in directly.

comment:2 Changed 13 years ago by michele

I'm more keen on a SecureForm?, on the base Form it will just make the template more complex for people who don't need or don't want this feature.

comment:3 Changed 13 years ago by kevin

the reason I suggested putting it on the base form is that the link that Alberto posted made it sound like this was a generally good practice that people aren't following. I think it's best to help people do the things that are good, even if they're not aware of them (and aware of the details).

I'd recommend this: if we get to the point where we're going to implement this, raise it on the list then. For now, this ticket is unscheduled, because there are bigger fish to fry, as they say.

comment:4 Changed 13 years ago by alberto

I might be implementing it sooner than later though... It's a big fish for me: One of my current projects is a control panel for an ISP and once it leaves the beta stage (that is internal use and "trusted" clients only) it will become a must.


comment:5 Changed 13 years ago by kevin

Nothing like open source itch scratching :)

Well, if that's the case, I'd put it out to the list to discuss. If people generally think it's best broken out into a separate form class, that's fine. I just think that it makes sense to protect all forms by default, if it can be done cheaply.

comment:6 Changed 13 years ago by michele

Damn I'm a stupid, we can implement it even on normal forms without touching the template a think, that's the advantage of keeping logic outside of templates. ;-)

Since we prepare the hidden_fields variable in update_data if the form has been constructed using this option (as Kevin mentioned) you can just put this hidden field there and do the right thing with the validator.

So, +1 to add it on the base Form, otherwise we would also need to duplicate SecureTableForm?, SecureListForm? and so on.

It makes a lot of sense on the Form class, sorry Kevin.

comment:7 Changed 13 years ago by kevin

Hey, I didn't think of just adding the hidden field that way either :)

Good suggestion. It's settled then...

comment:8 Changed 13 years ago by jorge.vargas

  • Owner changed from anonymous to alberto
  • Type changed from enhancement to task
  • Milestone set to 1.0

alberto since you said you may need it I took the liverty of assigning it to you :p

comment:9 Changed 12 years ago by alberto

  • Milestone changed from 1.0 to 1.1

comment:10 Changed 12 years ago by alberto

  • Milestone changed from 1.1 to __unclassified__

Batch moved into unclassified from 1.1 to properly track progress on the later

comment:11 Changed 11 years ago by khorn

No updates on ticket in past 2 years. Updates?

comment:12 Changed 10 years ago by jorge.vargas

  • Status changed from new to closed
  • Resolution set to wontfix

tgwidgets is feature freeze, if this is implemented it should be in toscawidgets.

comment:13 Changed 9 years ago by chrisz

  • Milestone changed from __unclassified__ to 1.0.x bugfix
Note: See TracTickets for help on using tickets.