From 063313f87bfda6f528d428dd95cf6d07e401e619 Mon Sep 17 00:00:00 2001 From: Luca Date: Tue, 14 May 2024 23:57:59 +0200 Subject: [PATCH] chore: add csrf protection for changes to registration state --- .../team/templates/checkin_list.html | 10 ++++- .../team/templates/csrf_protect.html | 12 ++++++ shiftregister/team/templates/molly_guard.html | 12 ------ .../team/templates/shift_detail.html | 15 +++++-- shiftregister/team/views.py | 39 +++++++++++++++---- 5 files changed, 64 insertions(+), 24 deletions(-) create mode 100644 shiftregister/team/templates/csrf_protect.html delete mode 100644 shiftregister/team/templates/molly_guard.html diff --git a/shiftregister/team/templates/checkin_list.html b/shiftregister/team/templates/checkin_list.html index 9c0723f..067a4e0 100644 --- a/shiftregister/team/templates/checkin_list.html +++ b/shiftregister/team/templates/checkin_list.html @@ -33,8 +33,14 @@ {{ reg.shift.duration|duration }}
- Als angekommen markieren - Nicht angetreten +
+ {% csrf_token %} + +
+
+ {% csrf_token %} + +
📞
diff --git a/shiftregister/team/templates/csrf_protect.html b/shiftregister/team/templates/csrf_protect.html new file mode 100644 index 0000000..98bbead --- /dev/null +++ b/shiftregister/team/templates/csrf_protect.html @@ -0,0 +1,12 @@ +{% extends "base.html" %} + +{% block title %}{{ action|default:"Aktion bestätigen" }}{% endblock %} + +{% block content %} +

{{ action|default:"Aktion bestätigen" }}

+
+ {% csrf_token %} + +
+Zurück +{% endblock %} diff --git a/shiftregister/team/templates/molly_guard.html b/shiftregister/team/templates/molly_guard.html deleted file mode 100644 index b531af1..0000000 --- a/shiftregister/team/templates/molly_guard.html +++ /dev/null @@ -1,12 +0,0 @@ -{% extends "base.html" %} - -{% block title %}Helfer*in wirklich sperren?{% endblock %} - -{% block content %} -

Helfer*in wirklich sperren?

-
- {% csrf_token %} - -
-Zurück -{% endblock %} diff --git a/shiftregister/team/templates/shift_detail.html b/shiftregister/team/templates/shift_detail.html index ba8f5fe..02f37f7 100644 --- a/shiftregister/team/templates/shift_detail.html +++ b/shiftregister/team/templates/shift_detail.html @@ -32,9 +32,18 @@
{% if reg.is_pending %} - Als angekommen markieren - Helfer*in abmelden - Nicht angetreten +
+ {% csrf_token %} + +
+
+ {% csrf_token %} + +
+
+ {% csrf_token %} + +
{% elif reg.is_checked_in %} {% endif %} diff --git a/shiftregister/team/views.py b/shiftregister/team/views.py index 0fdff7c..8ba11ed 100644 --- a/shiftregister/team/views.py +++ b/shiftregister/team/views.py @@ -308,9 +308,18 @@ class CheckinList(LoginRequiredMixin, ListView): @login_required def checkin(request, pk): reg = get_object_or_404(ShiftRegistration, pk=pk) - reg.state = reg.RegState.CHECKED_IN - reg.save() - return redirect("team:shift", pk=reg.shift.pk) + + if request.method == "POST": + reg.state = reg.RegState.CHECKED_IN + reg.save() + + return redirect("team:shift", pk=reg.shift.pk) + + return render( + request, + "csrf_protect.html", + {"action": "Als angekommen markieren", "button_text": "Angekommen", "reg": reg}, + ) @login_required @@ -326,15 +335,31 @@ def mark_as_failed(request, pk): return redirect("team:shift", pk=reg.shift.pk) - return render(request, "molly_guard.html", {"reg": reg}) + return render( + request, + "csrf_protect.html", + { + "action": 'Schicht als "nicht angetreten" markieren', + "button_text": "Nicht angetreten", + "reg": reg, + }, + ) @login_required def delete_shiftregistration(request, pk): reg = get_object_or_404(ShiftRegistration, pk=pk) - spk = reg.shift.pk - reg.delete() - return redirect("team:shift", pk=spk) + + if request.method == "POST": + reg.delete() + + return redirect("team:shift", pk=reg.shift.pk) + + return render( + request, + "csrf_protect.html", + {"action": "Helfer*in abmelden", "button_text": "Abmelden", "reg": reg}, + ) class IncomingMessagesList(LoginRequiredMixin, ListView):