Fix CSRF verification in /admin/mergeorg/ and /admin/purge/

All templates using {% csrf_token %} need to be rendered with a
RequestContext.

This reverts most of commit 58a08f25901079c309d0713223e12c223b413d2c

Also permit POST requests to /search/ -- these aren't relevant to the
site itself, but this used to be allowed before.

diff --git a/pgweb/core/views.py b/pgweb/core/views.py
index 3118e7f8e05498f4197577003684dff516e473b8..96848466ec58c8ee6a8230783b59947cd1f858ea 100644 (file)
--- a/pgweb/core/views.py
+++ b/pgweb/core/views.py
@@ -31,6 +31,7 @@ from survey.models import Survey
 # models and forms needed for core objects
 from models import Organisation
 from forms import OrganisationForm, MergeOrgsForm
+from django.template.context import RequestContext
 
 # Front page view
 @cache(minutes=10)
@@ -185,7 +186,6 @@ def admin_pending(request):
 # Purge objects from varnish, for the admin pages
 @login_required
 @user_passes_test(lambda u: u.is_staff)
-@csrf_exempt
 def admin_purge(request):
        if request.method == 'POST':
                url = request.POST['url']
@@ -205,7 +205,7 @@ def admin_purge(request):
        return render_to_response('core/admin_purge.html', {
                        'purge_completed': completed,
                        'latest_purges': latest,
-                       })
+                       }, RequestContext(request))
 
 @ssl_required
 @csrf_exempt
@@ -226,7 +226,6 @@ def api_varnish_purge(request):
 @login_required
 @user_passes_test(lambda u: u.is_superuser)
 @transaction.commit_on_success
-@csrf_exempt
 def admin_mergeorg(request):
        if request.method == 'POST':
                form = MergeOrgsForm(data=request.POST)
@@ -257,4 +256,4 @@ def admin_mergeorg(request):
 
        return render_to_response('core/admin_mergeorg.html', {
                        'form': form,
-    })
+    }, RequestContext(request))

diff --git a/pgweb/search/views.py b/pgweb/search/views.py
index 265dfeb919a72a3e397d0a4ac05bad7cfcd588fc..0390f147c611e4c86bd58c5e66b00ee80bb994b2 100644 (file)
--- a/pgweb/search/views.py
+++ b/pgweb/search/views.py
@@ -1,5 +1,6 @@
 from django.shortcuts import render_to_response, get_object_or_404
 from django.http import HttpResponse, Http404, HttpResponseRedirect
+from django.views.decorators.csrf import csrf_exempt
 from django.conf import settings
 
 from pgweb.util.decorators import cache
@@ -37,6 +38,7 @@ def generate_pagelinks(pagenum, totalpages, querystring):
                yield '<a href="%s&p=%s">Next</a>' % (querystring, pagenum+1)
 
 
+@csrf_exempt
 @cache(minutes=15)
 def search(request):
        # Perform a general web search

diff --git a/templates/core/admin_mergeorg.html b/templates/core/admin_mergeorg.html
index 6adf2b1e37244dfe33c7d5e71e174b967eda4ed4..cde62ba83eeb01f6b7162b9cfbde0c079f8ca296 100644 (file)
--- a/templates/core/admin_mergeorg.html
+++ b/templates/core/admin_mergeorg.html
@@ -10,7 +10,7 @@
 {%block content%}
 <div id="content-main">
 <h1>Merge organisations</h1>
-<form method="post" action=".">
+<form method="post" action=".">{% csrf_token %}
 <table>
 {{form.as_table}}
 </table>

diff --git a/templates/core/admin_purge.html b/templates/core/admin_purge.html
index 1405570a27053357257200c7571c5cfe7f2d063a..d7e91f1faf9d3d2fc46c898bc5e28dadc481c5e2 100644 (file)
--- a/templates/core/admin_purge.html
+++ b/templates/core/admin_purge.html
@@ -17,7 +17,7 @@
   </div>
 {%endif%}
 
- <form method="POST" action=".">
+ <form method="POST" action=".">{% csrf_token %}
 URL (regex): <input type="text" name="url">
   <input type="submit" value="Purge" />
  </form>