mirror of
https://github.com/jiojciojsioe3/a3cjroijsiojiorj.git
synced 2024-11-15 15:31:51 +08:00
anti-csrf
This commit is contained in:
parent
873bd1a73e
commit
1e7477dd96
4
app.py
4
app.py
@ -14,6 +14,7 @@ from functools import wraps
|
|||||||
from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash
|
from flask import Flask, g, jsonify, render_template, request, abort, redirect, session, flash
|
||||||
from flask_caching import Cache
|
from flask_caching import Cache
|
||||||
from flask_session import Session
|
from flask_session import Session
|
||||||
|
from flask_wtf.csrf import CSRFProtect, generate_csrf
|
||||||
from ffmpy import FFmpeg
|
from ffmpy import FFmpeg
|
||||||
from pymongo import MongoClient
|
from pymongo import MongoClient
|
||||||
|
|
||||||
@ -26,6 +27,7 @@ app.config['SESSION_COOKIE_HTTPONLY'] = False
|
|||||||
app.cache = Cache(app, config=config.REDIS)
|
app.cache = Cache(app, config=config.REDIS)
|
||||||
sess = Session()
|
sess = Session()
|
||||||
sess.init_app(app)
|
sess.init_app(app)
|
||||||
|
csrf = CSRFProtect(app)
|
||||||
|
|
||||||
db = client[config.MONGO['database']]
|
db = client[config.MONGO['database']]
|
||||||
db.users.create_index('username', unique=True)
|
db.users.create_index('username', unique=True)
|
||||||
@ -106,6 +108,7 @@ def get_config():
|
|||||||
config_out['assets_baseurl'] = ''.join([request.host_url, 'assets']) + '/'
|
config_out['assets_baseurl'] = ''.join([request.host_url, 'assets']) + '/'
|
||||||
|
|
||||||
config_out['_version'] = get_version()
|
config_out['_version'] = get_version()
|
||||||
|
config_out['_csrf_token'] = generate_csrf()
|
||||||
return config_out
|
return config_out
|
||||||
|
|
||||||
|
|
||||||
@ -126,7 +129,6 @@ def get_version():
|
|||||||
|
|
||||||
|
|
||||||
@app.route('/')
|
@app.route('/')
|
||||||
@app.cache.cached(timeout=15)
|
|
||||||
def route_index():
|
def route_index():
|
||||||
version = get_version()
|
version = get_version()
|
||||||
return render_template('index.html', version=version, config=get_config())
|
return render_template('index.html', version=version, config=get_config())
|
||||||
|
@ -423,6 +423,7 @@ class Account{
|
|||||||
})
|
})
|
||||||
if(obj){
|
if(obj){
|
||||||
request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
|
request.setRequestHeader("Content-Type", "application/json;charset=UTF-8")
|
||||||
|
request.setRequestHeader("X-CSRFToken", gameConfig._csrf_token)
|
||||||
request.send(JSON.stringify(obj))
|
request.send(JSON.stringify(obj))
|
||||||
}else{
|
}else{
|
||||||
request.send()
|
request.send()
|
||||||
|
@ -6,6 +6,7 @@
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
<div class="song-form">
|
<div class="song-form">
|
||||||
<form method="post">
|
<form method="post">
|
||||||
|
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||||
|
|
||||||
<div class="form-field">
|
<div class="form-field">
|
||||||
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled"{% if song.enabled %} checked{% endif %}{% if admin.user_level < 100 %} disabled {% endif %}><label for="enabled"> Enabled</label></span>
|
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled"{% if song.enabled %} checked{% endif %}{% if admin.user_level < 100 %} disabled {% endif %}><label for="enabled"> Enabled</label></span>
|
||||||
@ -124,6 +125,7 @@
|
|||||||
</form>
|
</form>
|
||||||
{% if admin.user_level >= 100 %}
|
{% if admin.user_level >= 100 %}
|
||||||
<form class="delete-song" method="post" action="/admin/songs/{{song.id}}/delete" onsubmit="return confirm('Are you sure you wish to delete this song?');">
|
<form class="delete-song" method="post" action="/admin/songs/{{song.id}}/delete" onsubmit="return confirm('Are you sure you wish to delete this song?');">
|
||||||
|
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||||
<button type="submit">Delete song</button>
|
<button type="submit">Delete song</button>
|
||||||
</form>
|
</form>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
@ -6,9 +6,10 @@
|
|||||||
{% endfor %}
|
{% endfor %}
|
||||||
<div class="song-form">
|
<div class="song-form">
|
||||||
<form method="post">
|
<form method="post">
|
||||||
|
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
||||||
|
|
||||||
<div class="form-field">
|
<div class="form-field">
|
||||||
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled" checked><label for="enabled"> Enabled</label></span>
|
<span class="checkbox"><input type="checkbox" name="enabled" id="enabled"><label for="enabled"> Enabled</label></span>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="form-field">
|
<div class="form-field">
|
||||||
|
Loading…
Reference in New Issue
Block a user