Turn on CSRF protection - all forms must from now on have a {% csrf_token %}

 - Legacy-Id: 6963

Author: OleLaursen

ietf/dbtemplate/templates/dbtemplate/template_edit.html

@@ -30,7 +30,7 @@ <h2>Meta information</h2>
 </dl>
 
 <h2>Edit template content</h2>
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {{ form.as_p }}
 <input type="submit" value="Submit changes" />
 </form>

ietf/meeting/views.py

@@ -22,6 +22,7 @@
 from django.middleware.gzip import GZipMiddleware
 from django.db.models import Max
 from django.forms.models import modelform_factory
+from django.views.decorators.csrf import ensure_csrf_cookie
 
 from ietf.utils.pipe import pipe
 from ietf.ietfauth.utils import role_required, has_role
@@ -160,6 +161,7 @@ def agenda_create(request, num=None, schedule_name=None):
 
 
 @decorator_from_middleware(GZipMiddleware)
+@ensure_csrf_cookie
 def edit_timeslots(request, num=None):
 
     meeting = get_meeting(num)
@@ -197,6 +199,7 @@ def edit_timeslots(request, num=None):
 #@role_required('Area Director','Secretariat')
 # disable the above security for now, check it below.
 @decorator_from_middleware(GZipMiddleware)
+@ensure_csrf_cookie
 def edit_agenda(request, num=None, schedule_name=None):
 
     if request.method == 'POST':
@@ -286,6 +289,7 @@ def edit_agenda(request, num=None, schedule_name=None):
 
 @role_required('Area Director','Secretariat')
 @decorator_from_middleware(GZipMiddleware)
+@ensure_csrf_cookie
 def edit_agenda_properties(request, num=None, schedule_name=None):
 
     meeting = get_meeting(num)
@@ -304,6 +308,7 @@ def edit_agenda_properties(request, num=None, schedule_name=None):
 
 @role_required('Area Director','Secretariat')
 @decorator_from_middleware(GZipMiddleware)
+@ensure_csrf_cookie
 def edit_agendas(request, num=None, order=None):
 
     #if request.method == 'POST':
@@ -325,6 +330,7 @@ def edit_agendas(request, num=None, order=None):
                                          RequestContext(request)),
                         content_type="text/html")
 
+@ensure_csrf_cookie
 def agenda(request, num=None, name=None, base=None, ext=None):
     base = base if base else 'agenda'
     ext = ext if ext else '.html'

ietf/secr/templates/announcement/confirm.html

@@ -15,7 +15,7 @@
 <div class="module">
     <h2>Announcement</h2>
 
-    <form action="" method="POST">
+    <form action="" method="post">{% csrf_token %}
 
 <pre id="announce-confirm">
 To: {{ to }}

ietf/secr/templates/announcement/main.html

@@ -11,7 +11,7 @@
 <div class="module">
     <h2>Announcement</h2>
 
-    <form action="" method="POST">
+    <form action="" method="post">{% csrf_token %}
     <table class="new-style full-width amstable" id="announce-table">
       {% if form.non_field_errors %}{{ form.non_field_errors }}{% endif %}
       {% for field in form.visible_fields %}

ietf/secr/templates/areas/add.html

@@ -15,7 +15,7 @@
 
 <div class="module">
   <h2>Area - Add</h2>
-  <form enctype="multipart/form-data" action="" method="post">
+  <form enctype="multipart/form-data" action="" method="post">{% csrf_token %}
   <table id="area-add-table" class="full-width amstable">
     <col width="150">
     {{ area_form.as_table }}

ietf/secr/templates/areas/edit.html

@@ -15,7 +15,7 @@
 {% block content %}
 
 <div class="module">
-    <form action="." method="post">
+    <form action="." method="post">{% csrf_token %}
     <h2>Area - Edit</h2>
       <table class="full-width amstable">
         <col width="150">

ietf/secr/templates/areas/people.html

@@ -21,7 +21,7 @@
     <h2>Area Directors ({{ area.acronym }})</h2>
       <table class="center">
         {% for director in directors %}
-          <form action="modify/" method="post">
+          <form action="modify/" method="post">{% csrf_token %}
             <input type="hidden" name="tag" value="{{ director.person.id }}" />
             <tr>
               <td id="id-ad-name"><a href="">{{ director.person.name }}</a></td>
@@ -39,7 +39,7 @@ <h2>Area Directors ({{ area.acronym }})</h2>
       <div class="inline-related">
         <h3><b>Add new Director</b></h3>
         <p>
-        <form action="." method="post">
+        <form action="." method="post">{% csrf_token %}
           <table class="center">
             {{ form.as_table }}
             <tr>

ietf/secr/templates/drafts/add.html

@@ -16,7 +16,7 @@
 
 <div class="module draft-container">
     <h2>Draft - Add</h2>
-    <form id="drafts-add-form" enctype="multipart/form-data" action="" method="post">
+    <form id="drafts-add-form" enctype="multipart/form-data" action="" method="post">{% csrf_token %}
       <table class="full-width amstable">
         <col width="150">
         {{ form.as_table }}

ietf/secr/templates/drafts/approvals.html

@@ -14,7 +14,7 @@
 
 <div class="module draft-container">
     <h2>Draft - Approvals</h2>
-    <form id="drafts-approvals-form" enctype="multipart/form-data" action="" method="post">
+    <form id="drafts-approvals-form" enctype="multipart/form-data" action="" method="post">{% csrf_token %}
       <table class="full-width">
 	{{ form.as_table }}
       </table>

ietf/secr/templates/drafts/authors.html

@@ -43,7 +43,7 @@ <h2>Authors</h2>
     <div class="inline-related">
       <!-- <hr><br> -->
       <h3>Add Author</h3>
-      <form id="groups-people" action="" method="post">
+      <form id="groups-people" action="" method="post">{% csrf_token %}
         {{ form.non_field_errors }}
         <table class="full-width">
           <tr>