Add CSRF protection to all POSTable views in Review Board.
Review Request #5572 — Created March 2, 2014 and submitted — Latest diff uploaded
All views in Review Board that handle HTTP POST requests are now
decorated with a@csrf_protect decorator
, and have matching
{% csrf_token %}
tags in the templates. This adds a layer of protection
we didn't have before.Like the Djblets change, this doesn't affect the API, but does handle
all the user-facing and admin-facing views that accept HTTP POST.
Did the same testing I did with Djblets.
Tested each view in Review Board, with the
{% csrf_token %}
tags removed.
Saw the CSRF validation failures. Added back the tags, and was able to POST.