chore: add csrf protection for changes to registration state
This commit is contained in:
parent
fb58e1db77
commit
063313f87b
|
@ -33,8 +33,14 @@
|
|||
<td><a href="{% url 'team:shift' reg.shift.pk %}">{{ reg.shift.duration|duration }}</a></td>
|
||||
<td>
|
||||
<div class="buttons">
|
||||
<a class="button is-success is-small" href="{% url 'team:checkin' reg.pk %}">Als angekommen markieren</a>
|
||||
<a class="button is-danger is-small" href="{% url 'team:mark_as_failed' reg.pk %}">Nicht angetreten</a>
|
||||
<form action="{% url 'team:checkin' reg.pk %}" method="post">
|
||||
{% csrf_token %}
|
||||
<button class="button is-success is-small mr-2" type="submit">Als angekommen markieren</button>
|
||||
</form>
|
||||
<form action="{% url 'team:mark_as_failed' reg.pk %}" method="post">
|
||||
{% csrf_token %}
|
||||
<button class="button is-danger is-small mr-2" type="submit">Nicht angetreten</button>
|
||||
</form>
|
||||
<a class="button is-link is-small" href="tel:{{ reg.helper.phone }}">📞</a>
|
||||
</div>
|
||||
</td>
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
{% extends "base.html" %}
|
||||
|
||||
{% block title %}{{ action|default:"Aktion bestätigen" }}{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
<h3 class="title">{{ action|default:"Aktion bestätigen" }}</h3>
|
||||
<form method="POST">
|
||||
{% csrf_token %}
|
||||
<button class="button is-{{ button_style|default:"danger" }} is-small" type="submit">{{ button_text|default:"Bestätigen" }}</button>
|
||||
</form>
|
||||
<a class="button mt-3" href="{% url 'team:shift' reg.shift.pk %}">Zurück</a>
|
||||
{% endblock %}
|
|
@ -1,12 +0,0 @@
|
|||
{% extends "base.html" %}
|
||||
|
||||
{% block title %}Helfer*in wirklich sperren?{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
<h3 class="title">Helfer*in wirklich sperren?</h3>
|
||||
<form method="POST">
|
||||
{% csrf_token %}
|
||||
<button class="button is-danger is-small" type="submit">Schicht als "nicht angetreten" markieren und Helfer*in sperren</button>
|
||||
</form>
|
||||
<a class="button mt-3" href="{% url 'team:shift' reg.shift.pk %}">Zurück</a>
|
||||
{% endblock %}
|
|
@ -32,9 +32,18 @@
|
|||
</div>
|
||||
<div class="buttons">
|
||||
{% if reg.is_pending %}
|
||||
<a class="button is-success is-small" href="{% url 'team:checkin' reg.pk %}">Als angekommen markieren</a>
|
||||
<a class="button is-warning is-small" href="{% url 'team:unregister' reg.pk %}">Helfer*in abmelden</a>
|
||||
<a class="button is-danger is-small" href="{% url 'team:mark_as_failed' reg.pk %}">Nicht angetreten</a>
|
||||
<form action="{% url 'team:checkin' reg.pk %}" method="post">
|
||||
{% csrf_token %}
|
||||
<button class="button is-success is-small mr-2" type="submit">Als angekommen markieren</button>
|
||||
</form>
|
||||
<form action="{% url 'team:unregister' reg.pk %}" method="post">
|
||||
{% csrf_token %}
|
||||
<button class="button is-warning is-small mr-2" type="submit">Helfer*in abmelden</button>
|
||||
</form>
|
||||
<form action="{% url 'team:mark_as_failed' reg.pk %}" method="post">
|
||||
{% csrf_token %}
|
||||
<button class="button is-danger is-small" type="submit">Nicht angetreten</button>
|
||||
</form>
|
||||
{% elif reg.is_checked_in %}
|
||||
<button class="button is-success is-small" style="pointer-events:none;">✓</button>
|
||||
{% endif %}
|
||||
|
|
|
@ -308,10 +308,19 @@ class CheckinList(LoginRequiredMixin, ListView):
|
|||
@login_required
|
||||
def checkin(request, pk):
|
||||
reg = get_object_or_404(ShiftRegistration, pk=pk)
|
||||
|
||||
if request.method == "POST":
|
||||
reg.state = reg.RegState.CHECKED_IN
|
||||
reg.save()
|
||||
|
||||
return redirect("team:shift", pk=reg.shift.pk)
|
||||
|
||||
return render(
|
||||
request,
|
||||
"csrf_protect.html",
|
||||
{"action": "Als angekommen markieren", "button_text": "Angekommen", "reg": reg},
|
||||
)
|
||||
|
||||
|
||||
@login_required
|
||||
def mark_as_failed(request, pk):
|
||||
|
@ -326,15 +335,31 @@ def mark_as_failed(request, pk):
|
|||
|
||||
return redirect("team:shift", pk=reg.shift.pk)
|
||||
|
||||
return render(request, "molly_guard.html", {"reg": reg})
|
||||
return render(
|
||||
request,
|
||||
"csrf_protect.html",
|
||||
{
|
||||
"action": 'Schicht als "nicht angetreten" markieren',
|
||||
"button_text": "Nicht angetreten",
|
||||
"reg": reg,
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
@login_required
|
||||
def delete_shiftregistration(request, pk):
|
||||
reg = get_object_or_404(ShiftRegistration, pk=pk)
|
||||
spk = reg.shift.pk
|
||||
|
||||
if request.method == "POST":
|
||||
reg.delete()
|
||||
return redirect("team:shift", pk=spk)
|
||||
|
||||
return redirect("team:shift", pk=reg.shift.pk)
|
||||
|
||||
return render(
|
||||
request,
|
||||
"csrf_protect.html",
|
||||
{"action": "Helfer*in abmelden", "button_text": "Abmelden", "reg": reg},
|
||||
)
|
||||
|
||||
|
||||
class IncomingMessagesList(LoginRequiredMixin, ListView):
|
||||
|
|
Loading…
Reference in New Issue