Add CSRF protection to all POSTable views in Review Board.

Review Request #5572 — Created March 2, 2014 and submitted

Information

Review Board
release-2.0.x
d90c719...

Reviewers

All views in Review Board that handle HTTP POST requests are now
decorated with a @csrf_protect decorator, and have matching
{% csrf_token %} tags in the templates. This adds a layer of protection
we didn't have before.

Like the Djblets change, this doesn't affect the API, but does handle
all the user-facing and admin-facing views that accept HTTP POST.

Did the same testing I did with Djblets.

Tested each view in Review Board, with the {% csrf_token %} tags removed.
Saw the CSRF validation failures. Added back the tags, and was able to POST.

david
  1. Ship It!

  2. 
      
chipx86
Review request changed
Status:
Completed