From bad2825fab9f45f468414ed551bad9d987923600 Mon Sep 17 00:00:00 2001
From: Dan McGee <dan@archlinux.org>
Date: Sat, 5 Jun 2010 12:58:31 -0500
Subject: Updates for CSRF protection in Django 1.2.X

Signed-off-by: Dan McGee <dan@archlinux.org>
---
 packages/views.py                                | 2 +-
 settings.py                                      | 1 +
 templates/devel/index.html                       | 2 +-
 templates/devel/profile.html                     | 2 +-
 templates/general_form.html                      | 2 +-
 templates/mirrors/index.html                     | 2 +-
 templates/news/add.html                          | 2 +-
 templates/news/delete.html                       | 2 +-
 templates/packages/details.html                  | 2 +-
 templates/packages/flag.html                     | 2 +-
 templates/packages/search.html                   | 2 +-
 templates/registration/login.html                | 2 +-
 templates/todolists/todolist_confirm_delete.html | 2 +-
 13 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/packages/views.py b/packages/views.py
index 6838de03..9053906b 100644
--- a/packages/views.py
+++ b/packages/views.py
@@ -316,7 +316,7 @@ def flag(request, name='', repo='', arch=''):
 
     context['form'] = form
 
-    return render_to_response('packages/flag.html', context)
+    return render_to_response('packages/flag.html', RequestContext(request, context))
 
 def download(request, name='', repo='', arch=''):
     pkg = get_object_or_404(Package,
diff --git a/settings.py b/settings.py
index 30f594e6..6c9a1183 100644
--- a/settings.py
+++ b/settings.py
@@ -46,6 +46,7 @@
 MIDDLEWARE_CLASSES = (
     'main.middleware.UpdateCacheMiddleware',
     "django.contrib.sessions.middleware.SessionMiddleware",
+    'django.middleware.csrf.CsrfViewMiddleware',
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     'django.middleware.http.ConditionalGetMiddleware',
     "django.middleware.common.CommonMiddleware",
diff --git a/templates/devel/index.html b/templates/devel/index.html
index 662e8246..25429ecf 100644
--- a/templates/devel/index.html
+++ b/templates/devel/index.html
@@ -60,7 +60,7 @@ <h3>My Flagged Packages</h3>
         </tbody>
     </table>
 
-    <form id="dash-pkg-notify" method="post" action="/devel/notify/">
+    <form id="dash-pkg-notify" method="post" action="/devel/notify/">{% csrf_token %}
         <fieldset>
             <p><input id="notify" name="notify" type="checkbox" value="yes"
             {% if user.get_profile.notify %} checked="checked"{% endif %} />
diff --git a/templates/devel/profile.html b/templates/devel/profile.html
index 178a59aa..2c1c658d 100644
--- a/templates/devel/profile.html
+++ b/templates/devel/profile.html
@@ -6,7 +6,7 @@
 
     <h2>Developer Profile</h2>
 
-    <form id="edit-profile-form" method="post" action=".">
+    <form id="edit-profile-form" method="post" action=".">{% csrf_token %}
         <fieldset>
             <legend>Username: <strong>{{ user.username }}</strong></legend>
             {{ form.as_p }}
diff --git a/templates/general_form.html b/templates/general_form.html
index d499919a..93e73aca 100644
--- a/templates/general_form.html
+++ b/templates/general_form.html
@@ -8,7 +8,7 @@ <h2>{{title}}</h2>
 
     {% if description %}{{description}}{% endif %}
 
-    <form class="general-form" method="post" action=".">
+    <form class="general-form" method="post" action=".">{% csrf_token %}
         <fieldset>
             {% for field in form %}
                 <p><label>{{field.label}}{% if field.help_text %}:</label><br />
diff --git a/templates/mirrors/index.html b/templates/mirrors/index.html
index b347a086..55c172d7 100644
--- a/templates/mirrors/index.html
+++ b/templates/mirrors/index.html
@@ -13,7 +13,7 @@ <h2>Pacman Mirrorlist Generator</h2>
     Simply replace the contents of <code>/etc/pacman.d/mirrorlist</code> with
     the generated code.</p>
 
-    <form id="list-generator" method="post" action=".">
+    <form id="list-generator" method="post" action=".">{% csrf_token %}
         {{ mirrorlist_form.as_p }}
         <p><label></label> <input type="submit" value="Generate List" /></p>
     </form>
diff --git a/templates/news/add.html b/templates/news/add.html
index 38b5b21d..04a55689 100644
--- a/templates/news/add.html
+++ b/templates/news/add.html
@@ -10,7 +10,7 @@ <h2>News: Edit Article</h2>
     <h2>News: Add Article</h2>
     {% endif %}
 
-    <form id="newsform" method="post" action=".">
+    <form id="newsform" method="post" action=".">{% csrf_token %}
         <fieldset>
             {{ form.as_p }}
         </fieldset>
diff --git a/templates/news/delete.html b/templates/news/delete.html
index 6a2fa1e8..3e3ba95e 100644
--- a/templates/news/delete.html
+++ b/templates/news/delete.html
@@ -14,7 +14,7 @@ <h2>News: Delete Entry Confirmation</h2>
 
     <p>Are you sure?</p>
 
-    <form method="post" action=".">
+    <form method="post" action=".">{% csrf_token %}
         <input title="Delete this article" id="delete" name="delete"
         type="submit" value="Delete" /></p>
     </form>
diff --git a/templates/packages/details.html b/templates/packages/details.html
index f60324e8..247b6344 100644
--- a/templates/packages/details.html
+++ b/templates/packages/details.html
@@ -32,7 +32,7 @@ <h2>Package Details: {{ pkg.pkgname }} {{ pkg.pkgver }}-{{ pkg.pkgrel }}</h2>
         </ul>
 
         {% if user.is_authenticated %}
-        <form id="pkg-action" method="post" action="/packages/update/">
+        <form id="pkg-action" method="post" action="/packages/update/">{% csrf_token %}
             <div><input type="hidden" name="pkgid" value="{{ pkg.id }}" /></div>
             <p><input title="Adopt this package" type="submit" class="adopt" name="adopt" value="Adopt" />
             &nbsp;&nbsp;<input title="Orphan this package" type="submit" class="disown" name="disown" value="Disown" /></p>
diff --git a/templates/packages/flag.html b/templates/packages/flag.html
index 71d84982..9a5b123b 100644
--- a/templates/packages/flag.html
+++ b/templates/packages/flag.html
@@ -31,7 +31,7 @@ <h2>Flag Package: {{ pkg.pkgname }}</h2>
 
     <p>Please confirm your flag request for {{pkg.pkgname}}:</p>
 
-    <form id="flag-pkg-form" method="post" action=".">
+    <form id="flag-pkg-form" method="post" action=".">{% csrf_token %}
         <fieldset>
             {{ form.as_p }}
         </fieldset>
diff --git a/templates/packages/search.html b/templates/packages/search.html
index 6a22b7d8..6ed7f95f 100644
--- a/templates/packages/search.html
+++ b/templates/packages/search.html
@@ -69,7 +69,7 @@ <h3>Package Search</h3>
     </div>
     {% endif %}
 
-    <form id="pkglist-results-form" method="post" action="/packages/update/">
+    <form id="pkglist-results-form" method="post" action="/packages/update/">{% csrf_token %}
 
         <table class="results">
             <thead>
diff --git a/templates/registration/login.html b/templates/registration/login.html
index 2f626566..867910ba 100644
--- a/templates/registration/login.html
+++ b/templates/registration/login.html
@@ -10,7 +10,7 @@ <h2>Developer Login</h2>
     <p class="login-error">Your username and password didn't match. Please try again.</p>
     {% endif %}
 
-    <form id="dev-login-form" method="post" action=".">
+    <form id="dev-login-form" method="post" action=".">{% csrf_token %}
         <fieldset>
             <legend>Enter login credentials</legend>
             {{ form.as_p }}
diff --git a/templates/todolists/todolist_confirm_delete.html b/templates/todolists/todolist_confirm_delete.html
index c1e87834..39c9f0da 100644
--- a/templates/todolists/todolist_confirm_delete.html
+++ b/templates/todolists/todolist_confirm_delete.html
@@ -14,7 +14,7 @@ <h2>Delete Todo List: {{object.name}}</h2>
 
     <p>Are you sure?</p>
 
-    <form id="delete-todo-form" method="post" action=".">
+    <form id="delete-todo-form" method="post" action=".">{% csrf_token %}
         <p><input type="submit" value="Delete" /></p>
     </form>
 
-- 
cgit v1.2.3-54-g00ecf