Summary

Add CSRF protection to all POSTable views in Djblets.

Review Request #5571 — Created March 2, 2014 and submitted March 3, 2014, 4:37 p.m.

Information

Owner

chipx86

Repository

Djblets

Branch

master

Bugs

Depends On

Commit

72bcc4e...

Reviewers

Groups

djblets

People

Description

All views in Djblets that handle HTTP POST requests are now decorated
with a @csrf_protect decorator, and have matching {% csrf_token %} tags
in the templates. This adds a layer of protection we didn't have before.

The API is unaffected, as adding CSRF protection to APIs sort of defeats
the purpose of APIs. There are other protections we may want to make
here, but that's a separate task.

Testing Done

Tested each view in Review Board, with the {% csrf_token %} tags removed.
Saw the CSRF validation failures. Added back the tags, and was able to POST.

Issues

Description	From	Last Updated
This should be left-aligned, no?	david	March 3, 2014, 1:36 p.m.

djblets/siteconfig/templates/siteconfig/settings.html (Diff revision 1)

The issue has been dropped. Show all issues

This should be left-aligned, no?

chipx86 March 3, 2014, 1:02 a.m.

It's basically a variable for generating a <input/>, as opposed to any flow control or any block-generating statements, so it seemed appropriate to place it where I wanted the <input/>.

david March 3, 2014, 1:36 p.m.
```
Hmm, ok.
```

Ship it!

```
Ship It!
```

Review Board 7.0 alpha 0 (dev)

Add CSRF protection to all POSTable views in Djblets.

Information

Reviewers

Status: Closed (submitted)