Adding csrf to templates.

author: Kalevi Yypänaho <kyypanah@local> 2023-11-27 20:35:57 +0200
committer: Kalevi Yypänaho <kyypanah@local> 2023-11-27 20:35:57 +0200
commit: d74aca91c689b54b7b49bbfa7121f458f4caf751 (patch)
tree: b13f1ffc7d6f5c816ac16147cc9b8703a17c69c7 /routes
parent: d6c73dbde8a35905a8f29caf9b6d088043a5e78f (diff)
6 files changed, 25 insertions, 12 deletions
diff --git a/routes/analyse.py b/routes/analyse.py
index 70d852b..3b59ae7 100644
--- a/routes/analyse.py
+++ b/routes/analyse.py
@@ -94,7 +94,8 @@ def analyse():
 
 @app.route("/set/compare",methods=["POST"])
 def set_compare():
-    csrf_check("/#analyse")
+    if csrf_check():
+        return redirect("/#analyse")
     session["anal_user1"] = request.form["user1"]
     session["anal_user2"] = request.form["user2"]
     return redirect("/#analyse")
diff --git a/routes/answer.py b/routes/answer.py
index a554d25..e224b44 100644
--- a/routes/answer.py
+++ b/routes/answer.py
@@ -14,7 +14,8 @@ def kys_link(link):
 @app.route("/set/answer_id",methods=["POST"])
 def answer_id():
     next = "/#"+request.form["caller"] if "caller" in request.form else "/"
-    csrf_check(next)
+    if csrf_check():
+        return redirect(next)
     if "id" not in session:
         session["alert"] = "Nimimerkkiä ei ole asetettu."
         return redirect(next)
@@ -82,7 +83,8 @@ def answer():
 
 @app.route("/set/answers",methods=["POST"])
 def set_answers():
-    csrf_check("/#answer")
+    if csrf_check():
+        return redirect("/#answer")
     if "id" not in session:
         session["alert"]="Nimimerkkiä ei ole vielä valittu!"
         return redirect( "/#answer" )
@@ -92,6 +94,8 @@ def set_answers():
 
     sid = session["id"]
     for question, answer in request.form.items():
+        if question=="csrf":
+            continue
         try: 
             if int(answer) < 0 or int(answer) > 999:
                 session["alert"]="Luvattoman pieniä tai suuria lukuja!"
@@ -104,6 +108,8 @@ def set_answers():
             return redirect( "/#answer" )
 
     for question, answer in request.form.items():
+        if question=="csrf":
+            continue
         D.answer_new(int(sid), int(question), int(answer))
 
     return redirect("/#analyse")
diff --git a/routes/base.py b/routes/base.py
index 42d8cdf..2c4b1f2 100644
--- a/routes/base.py
+++ b/routes/base.py
@@ -1,3 +1,4 @@
+from secrets import token_urlsafe
 from app import app
 from flask import render_template,session,request,redirect
 import db_actions as D
@@ -26,7 +27,8 @@ def info():
 @app.route("/set/nick",methods=["POST"])
 def new_nick():
     next = "/#"+request.form["caller"] if "caller" in request.form else "/"
-    csrf_check(next)
+    if csrf_check():
+        return redirect(next)
     if "id" in session.keys():
         session["alert"]="Sinulla on jo nimimerkki. Käytä sitä."
         return redirect(next)
diff --git a/routes/create.py b/routes/create.py
index 083cc0e..2de8e27 100644
--- a/routes/create.py
+++ b/routes/create.py
@@ -41,7 +41,8 @@ def create():
 
 @app.route("/set/quiz",methods=["POST"])
 def new_quiz():
-    csrf_check("/#create")
+    if csrf_check():
+        return redirect("/#create")
     if not "id" in session.keys():
         session["alert"]="Tarvitset nimimerkin loudaksesi."
         return redirect("/#create")
@@ -52,7 +53,8 @@ def new_quiz():
 
 @app.route("/set/quiz_ready",methods=["POST"])
 def quiz_ready():
-    csrf_check("/#create")
+    if csrf_check():
+        return redirect("/#create")
     if "quiz_id" not in session.keys():
         session["alert"] = "Kyselmä jota ei ole aloitettu ei voi olla valmis."
         return redirect("/#create")
diff --git a/routes/question.py b/routes/question.py
index de8dc28..42fce8d 100644
--- a/routes/question.py
+++ b/routes/question.py
@@ -14,7 +14,8 @@ def question():
 
 @app.route("/set/question",methods=["POST"])
 def new_question():
-    csrf_check("/#create")
+    if csrf_check():
+        return redirect("/#create")
     try:       
         question = request.form["question"]
         neg_ans = request.form["neg_ans"]
diff --git a/routes/tools.py b/routes/tools.py
index 3f831a9..c55ca74 100644
--- a/routes/tools.py
+++ b/routes/tools.py
@@ -1,5 +1,5 @@
 from random import randint
-from flask import session
+from flask import session, request
 import db_actions as D
 
 def rows2dicts( rows, names ):
@@ -38,9 +38,10 @@ def generate_link():
         str+=vocal[randint(0,len(vocal)-1)]
     return str
 
-def csrf_check( redir ):
+def csrf_check():
     if "csrf" not in session \
             or "csrf" not in request.form \
-            or session["csrf"]!=request.form["csrf"]:
-        session["alert"]="Istuntosi katkesi tai pyyntö toiselta sivulta!"
-        return redirect( redir )
+            or session["csrf"] != request.form["csrf"]:
+        session["alert"]="Istuntosi katkesi tai pyyntö on toiselta sivulta!"
+        return True
+    return False
author	Kalevi Yypänaho <kyypanah@local>	2023-11-27 20:35:57 +0200
committer	Kalevi Yypänaho <kyypanah@local>	2023-11-27 20:35:57 +0200
commit	d74aca91c689b54b7b49bbfa7121f458f4caf751 (patch)
tree	b13f1ffc7d6f5c816ac16147cc9b8703a17c69c7 /routes
parent	d6c73dbde8a35905a8f29caf9b6d088043a5e78f (diff)