From d74aca91c689b54b7b49bbfa7121f458f4caf751 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kalevi=20Yyp=C3=A4naho?= <kyypanah@local>
Date: Mon, 27 Nov 2023 20:35:57 +0200
Subject: Adding csrf to templates.

---
 routes/analyse.py       |  3 ++-
 routes/answer.py        | 10 ++++++++--
 routes/base.py          |  4 +++-
 routes/create.py        |  6 ++++--
 routes/question.py      |  3 ++-
 routes/tools.py         | 11 ++++++-----
 templates/analyse.html  |  6 ++++++
 templates/answer.html   |  2 ++
 templates/base.html     |  1 +
 templates/create.html   |  2 ++
 templates/question.html |  1 +
 11 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/routes/analyse.py b/routes/analyse.py
index 70d852b..3b59ae7 100644
--- a/routes/analyse.py
+++ b/routes/analyse.py
@@ -94,7 +94,8 @@ def analyse():
 
 @app.route("/set/compare",methods=["POST"])
 def set_compare():
-    csrf_check("/#analyse")
+    if csrf_check():
+        return redirect("/#analyse")
     session["anal_user1"] = request.form["user1"]
     session["anal_user2"] = request.form["user2"]
     return redirect("/#analyse")
diff --git a/routes/answer.py b/routes/answer.py
index a554d25..e224b44 100644
--- a/routes/answer.py
+++ b/routes/answer.py
@@ -14,7 +14,8 @@ def kys_link(link):
 @app.route("/set/answer_id",methods=["POST"])
 def answer_id():
     next = "/#"+request.form["caller"] if "caller" in request.form else "/"
-    csrf_check(next)
+    if csrf_check():
+        return redirect(next)
     if "id" not in session:
         session["alert"] = "Nimimerkkiä ei ole asetettu."
         return redirect(next)
@@ -82,7 +83,8 @@ def answer():
 
 @app.route("/set/answers",methods=["POST"])
 def set_answers():
-    csrf_check("/#answer")
+    if csrf_check():
+        return redirect("/#answer")
     if "id" not in session:
         session["alert"]="Nimimerkkiä ei ole vielä valittu!"
         return redirect( "/#answer" )
@@ -92,6 +94,8 @@ def set_answers():
 
     sid = session["id"]
     for question, answer in request.form.items():
+        if question=="csrf":
+            continue
         try: 
             if int(answer) < 0 or int(answer) > 999:
                 session["alert"]="Luvattoman pieniä tai suuria lukuja!"
@@ -104,6 +108,8 @@ def set_answers():
             return redirect( "/#answer" )
 
     for question, answer in request.form.items():
+        if question=="csrf":
+            continue
         D.answer_new(int(sid), int(question), int(answer))
 
     return redirect("/#analyse")
diff --git a/routes/base.py b/routes/base.py
index 42d8cdf..2c4b1f2 100644
--- a/routes/base.py
+++ b/routes/base.py
@@ -1,3 +1,4 @@
+from secrets import token_urlsafe
 from app import app
 from flask import render_template,session,request,redirect
 import db_actions as D
@@ -26,7 +27,8 @@ def info():
 @app.route("/set/nick",methods=["POST"])
 def new_nick():
     next = "/#"+request.form["caller"] if "caller" in request.form else "/"
-    csrf_check(next)
+    if csrf_check():
+        return redirect(next)
     if "id" in session.keys():
         session["alert"]="Sinulla on jo nimimerkki. Käytä sitä."
         return redirect(next)
diff --git a/routes/create.py b/routes/create.py
index 083cc0e..2de8e27 100644
--- a/routes/create.py
+++ b/routes/create.py
@@ -41,7 +41,8 @@ def create():
 
 @app.route("/set/quiz",methods=["POST"])
 def new_quiz():
-    csrf_check("/#create")
+    if csrf_check():
+        return redirect("/#create")
     if not "id" in session.keys():
         session["alert"]="Tarvitset nimimerkin loudaksesi."
         return redirect("/#create")
@@ -52,7 +53,8 @@ def new_quiz():
 
 @app.route("/set/quiz_ready",methods=["POST"])
 def quiz_ready():
-    csrf_check("/#create")
+    if csrf_check():
+        return redirect("/#create")
     if "quiz_id" not in session.keys():
         session["alert"] = "Kyselmä jota ei ole aloitettu ei voi olla valmis."
         return redirect("/#create")
diff --git a/routes/question.py b/routes/question.py
index de8dc28..42fce8d 100644
--- a/routes/question.py
+++ b/routes/question.py
@@ -14,7 +14,8 @@ def question():
 
 @app.route("/set/question",methods=["POST"])
 def new_question():
-    csrf_check("/#create")
+    if csrf_check():
+        return redirect("/#create")
     try:       
         question = request.form["question"]
         neg_ans = request.form["neg_ans"]
diff --git a/routes/tools.py b/routes/tools.py
index 3f831a9..c55ca74 100644
--- a/routes/tools.py
+++ b/routes/tools.py
@@ -1,5 +1,5 @@
 from random import randint
-from flask import session
+from flask import session, request
 import db_actions as D
 
 def rows2dicts( rows, names ):
@@ -38,9 +38,10 @@ def generate_link():
         str+=vocal[randint(0,len(vocal)-1)]
     return str
 
-def csrf_check( redir ):
+def csrf_check():
     if "csrf" not in session \
             or "csrf" not in request.form \
-            or session["csrf"]!=request.form["csrf"]:
-        session["alert"]="Istuntosi katkesi tai pyyntö toiselta sivulta!"
-        return redirect( redir )
+            or session["csrf"] != request.form["csrf"]:
+        session["alert"]="Istuntosi katkesi tai pyyntö on toiselta sivulta!"
+        return True
+    return False
diff --git a/templates/analyse.html b/templates/analyse.html
index b7139e4..6dcc1be 100644
--- a/templates/analyse.html
+++ b/templates/analyse.html
@@ -26,6 +26,7 @@ Tutkit kyselmää: {{ code }}
  {% endif %}
 {% endfor %}
 </select>
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Vertaa" class="kysButton">
 </form>
 </div></div>
@@ -60,6 +61,7 @@ Tutkit kyselmää: {{ code }}
 <form action="/set/compare" method="POST">
 <input type="text" name="user1" hidden="true" value={{ best.max_u1 }}>
 <input type="text" name="user2" hidden="true" value={{ best.max_u2 }}>
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Kaikista paras yhtäläisyys ({{ best.max }}%)" 
   class="kysButton">
 </form>
@@ -67,6 +69,7 @@ Tutkit kyselmää: {{ code }}
 <form action="/set/compare" method="POST">
 <input type="text" name="user1" hidden="true" value={{ best.maxme_u1 }}>
 <input type="text" name="user2" hidden="true" value={{ best.maxme_u2 }}>
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Paras yhtäläisyys kanssani ({{ best.maxme }}%)" 
   class="kysButton">
 </form>
@@ -74,6 +77,7 @@ Tutkit kyselmää: {{ code }}
 <form action="/set/compare" method="POST">
 <input type="text" name="user1" hidden="true" value={{ best.minme_u1 }}>
 <input type="text" name="user2" hidden="true" value={{ best.minme_u2 }}>
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Huonoin yhtäläisyys kanssani ({{ best.minme }}%)"
   class="kysButton">
 </form>
@@ -81,6 +85,7 @@ Tutkit kyselmää: {{ code }}
 <form action="/set/compare" method="POST">
 <input type="text" name="user1" hidden="true" value={{ best.min_u1 }}>
 <input type="text" name="user2" hidden="true" value={{ best.min_u2 }}>
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Kaikista huonoin yhtäläisyys ({{ best.min }}%)"
   class="kysButton">
 </form>
@@ -93,6 +98,7 @@ Tutkit kyselmää: {{ code }}
 Vaihda kyselyn koodia:
 <input type="text" name="link">
 <input type="text" name="caller" value="analyse" hidden="true">
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Vaihda">
 </form>
 
diff --git a/templates/answer.html b/templates/answer.html
index 6231785..4bf61d3 100644
--- a/templates/answer.html
+++ b/templates/answer.html
@@ -18,6 +18,7 @@ Vastaa kyselmään "{{ link }}":
 <input class="kysAnswer" type="range" min="0" max="999" name="{{ q.i }}">
 </div>
 {% endfor %}
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input class="kysSubmitAnswers" type="submit" value="Vastaa kyselyyn">
 </div>
 </form>
@@ -28,6 +29,7 @@ Vastaa kyselmään "{{ link }}":
 Vastaa kyselyyn koodilla:
 <input type="text" name="link">
 <input type="text" name="caller" value="answer" hidden="true">
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Kyselmään">
 </form>
 
diff --git a/templates/base.html b/templates/base.html
index f38eb12..e47e643 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -5,6 +5,7 @@
 Anna itsellesi nimimerkki ensin:
 <input type="text" name="nick">
 <input type="text" name="caller" value="{{ caller }}" hidden="true">
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Lähetä">
 </form>
 {% endif %}
diff --git a/templates/create.html b/templates/create.html
index 21520b5..eb4bccd 100644
--- a/templates/create.html
+++ b/templates/create.html
@@ -25,6 +25,7 @@
 <div class="kysScaleSpacer"></div>
 <form action="/set/quiz_ready" method="POST">
 <input type="text" name="ok" hidden=true>
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Valmis" class="kysButton">
 </form>
 <div class="kysScale">
@@ -34,6 +35,7 @@
 {% else %}
 
 <form action="/set/quiz" method="POST">
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Aloita uusi kyselmä">
 </form>
 
diff --git a/templates/question.html b/templates/question.html
index 62afaaf..76cba79 100644
--- a/templates/question.html
+++ b/templates/question.html
@@ -12,6 +12,7 @@
 
 <input type="range" min="0" max="999" value="500" 
                 class="kysAnswer" name="answer" >
+<input type="text" name="csrf" value="{{ session.csrf }}" hidden="true">
 <input type="submit" value="Lisää kysymys">
 </div>
 </form>
-- 
cgit v1.2.3