almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-05-02 11:12:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add CSRF validation to project history deletion

Browse source
This commit is contained in:
Baptiste Jonglez 2021-07-14 15:42:33 +02:00 committed by zorun
parent 2bb6f2b6a7
commit 969029a811
2 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ihatemoney/templates/history.html
View file

@ -55,6 +55,7 @@
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-dismiss="modal">{{ _("Close") }}</button>
<form action="{{ url_for(".strip_ip_addresses") }}" method="post">
{{ csrf_form.csrf_token }}
<input type="submit" class="btn btn-danger" value="{{ _("Confirm Delete") }}" name="{{ _("Confirm Delete") }}"/>
</form>
</div>
@ -75,6 +76,7 @@
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-dismiss="modal">{{ _("Close") }}</button>
<form action="{{ url_for(".erase_history") }}" method="post">
{{ csrf_form.csrf_token }}
<input type="submit" class="btn btn-danger" value="{{ _("Confirm Delete") }}" name="{{ _("Confirm Delete") }}"/>
</form>
</div>

14
ihatemoney/web.py
View file

@ -799,6 +799,7 @@ def settle_bill():
@main.route("/<project_id>/history")
def history():
"""Query for the version entries associated with this project."""
csrf_form = EmptyForm()
history = get_history(g.project, human_readable_names=True)
any_ip_addresses = any(event["ip"] for event in history)
@ -811,12 +812,19 @@ def history():
LoggingMode=LoggingMode,
OperationType=Operation,
current_log_pref=g.project.logging_preference,
csrf_form=csrf_form,
)
@main.route("/<project_id>/erase_history", methods=["POST"])
def erase_history():
"""Erase all history entries associated with this project."""
# Used for CSRF validation
form = EmptyForm()
if not form.validate():
flash(_("CSRF Token: The CSRF token is invalid."), category="danger")
return redirect(url_for(".history"))
for query in get_history_queries(g.project):
query.delete(synchronize_session="fetch")
@ -827,6 +835,12 @@ def erase_history():
@main.route("/<project_id>/strip_ip_addresses", methods=["POST"])
def strip_ip_addresses():
"""Strip ip addresses from history entries associated with this project."""
# Used for CSRF validation
form = EmptyForm()
if not form.validate():
flash(_("CSRF Token: The CSRF token is invalid."), category="danger")
return redirect(url_for(".history"))
for query in get_history_queries(g.project):
for version_object in query.all():
version_object.transaction.remote_addr = None