Add CSRF token to all buttons through a new buttonW widget
This commit is contained in:
fr33domlover
parent
7fdc7e703d
commit
cf3f8fb8f6
18 changed files with 60 additions and 65 deletions
|
|
@ -1,6 +1,6 @@
|
|||
{- This file is part of Vervis.
|
||||
-
|
||||
- Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
- Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
-
|
||||
- ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
-
|
||||
|
|
@ -31,6 +31,7 @@ import Data.Text (Text, intercalate)
|
|||
import Data.Text.Encoding (decodeUtf8With)
|
||||
import Data.Text.Encoding.Error (lenientDecode)
|
||||
import Database.Persist
|
||||
import Network.HTTP.Types (StdMethod (DELETE))
|
||||
import Text.Blaze.Html (Html, toHtml)
|
||||
import Yesod.Auth (requireAuthId)
|
||||
import Yesod.Core (defaultLayout)
|
||||
|
|
@ -45,6 +46,7 @@ import Vervis.Foundation
|
|||
import Vervis.Model
|
||||
import Vervis.Model.Ident
|
||||
import Vervis.Settings
|
||||
import Vervis.Widget (buttonW)
|
||||
|
||||
getKeysR :: Handler Html
|
||||
getKeysR = do
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ import Data.Text.Encoding (decodeUtf8With)
|
|||
import Data.Text.Encoding.Error (lenientDecode)
|
||||
import Data.Traversable (for)
|
||||
import Database.Esqueleto
|
||||
import Network.HTTP.Types (StdMethod (DELETE))
|
||||
import System.FilePath ((</>), joinPath)
|
||||
import System.Directory (doesFileExist)
|
||||
import Text.Blaze.Html (Html)
|
||||
|
|
@ -65,6 +66,7 @@ import Vervis.Settings
|
|||
import Vervis.SourceTree
|
||||
import Vervis.Style
|
||||
import Vervis.Time
|
||||
import Vervis.Widget (buttonW)
|
||||
import Vervis.Widget.Repo
|
||||
import Vervis.Widget.Sharer
|
||||
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ import Data.Text.Encoding.Error (lenientDecode)
|
|||
import Data.Traversable (for)
|
||||
import Database.Esqueleto
|
||||
import Data.Hourglass (timeConvert)
|
||||
import Network.HTTP.Types (StdMethod (DELETE))
|
||||
import System.Directory (createDirectoryIfMissing)
|
||||
import System.Hourglass (dateCurrent)
|
||||
import Text.Blaze.Html (Html)
|
||||
|
|
@ -75,6 +76,7 @@ import Vervis.Settings
|
|||
import Vervis.SourceTree
|
||||
import Vervis.Style
|
||||
import Vervis.Time (showDate)
|
||||
import Vervis.Widget (buttonW)
|
||||
import Vervis.Widget.Repo
|
||||
import Vervis.Widget.Sharer (personLinkW)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{- This file is part of Vervis.
|
||||
-
|
||||
- Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
- Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
-
|
||||
- ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
-
|
||||
|
|
@ -38,6 +38,7 @@ where
|
|||
import Prelude
|
||||
|
||||
import Database.Persist
|
||||
import Network.HTTP.Types (StdMethod (DELETE))
|
||||
import Text.Blaze.Html (Html)
|
||||
import Yesod.Auth (requireAuthId)
|
||||
import Yesod.Core (defaultLayout, setMessage)
|
||||
|
|
@ -52,6 +53,7 @@ import Vervis.Model
|
|||
import Vervis.Model.Ident (ShrIdent, RlIdent, rl2text)
|
||||
import Vervis.Role
|
||||
import Vervis.Settings (widgetFile)
|
||||
import Vervis.Widget (buttonW)
|
||||
import Vervis.Widget.Role
|
||||
|
||||
getRepoRolesR :: ShrIdent -> Handler Html
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ import Data.Time.Format (formatTime, defaultTimeLocale)
|
|||
import Data.Traversable (for)
|
||||
import Database.Esqueleto hiding ((=.), (+=.), update, delete)
|
||||
import Database.Persist hiding ((==.))
|
||||
import Network.HTTP.Types (StdMethod (DELETE, POST))
|
||||
import Text.Blaze.Html (Html, toHtml)
|
||||
import Yesod.Auth (requireAuthId, maybeAuthId)
|
||||
import Yesod.Core (defaultLayout)
|
||||
|
|
@ -96,6 +97,7 @@ import Vervis.Style
|
|||
import Vervis.Ticket
|
||||
import Vervis.TicketFilter (filterTickets)
|
||||
import Vervis.Time (showDate)
|
||||
import Vervis.Widget (buttonW)
|
||||
import Vervis.Widget.Discussion (discussionW)
|
||||
import Vervis.Widget.Sharer (personLinkW)
|
||||
import Vervis.Widget.Ticket
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{- This file is part of Vervis.
|
||||
-
|
||||
- Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
- Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
-
|
||||
- ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
-
|
||||
|
|
@ -50,6 +50,7 @@ import Prelude
|
|||
import Data.Maybe (fromMaybe)
|
||||
import Data.Text (Text)
|
||||
import Database.Persist
|
||||
import Network.HTTP.Types (StdMethod (DELETE, PUT))
|
||||
import Text.Blaze.Html (Html)
|
||||
import Yesod.Auth (requireAuthId)
|
||||
import Yesod.Core (defaultLayout)
|
||||
|
|
@ -64,6 +65,7 @@ import Vervis.Model
|
|||
import Vervis.Model.Ident
|
||||
import Vervis.Model.Workflow
|
||||
import Vervis.Settings
|
||||
import Vervis.Widget (buttonW)
|
||||
import Vervis.Widget.Sharer
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ module Vervis.Widget
|
|||
( breadcrumbsW
|
||||
, revisionW
|
||||
, avatarW
|
||||
, buttonW
|
||||
)
|
||||
where
|
||||
|
||||
|
|
@ -28,7 +29,8 @@ import Data.Time.Calendar (toGregorian)
|
|||
import Data.Time.Clock (UTCTime (..))
|
||||
import Development.Darcs.Rev
|
||||
import Formatting (sformat, (%), int, left)
|
||||
import Yesod.Core (YesodBreadcrumbs, breadcrumbs)
|
||||
import Network.HTTP.Types (StdMethod)
|
||||
import Yesod.Core
|
||||
import Yesod.Core.Widget
|
||||
|
||||
import qualified Data.Text as T (take)
|
||||
|
|
@ -62,3 +64,15 @@ avatarW secure email = do
|
|||
$nothing
|
||||
<p>INVALID EMAIL
|
||||
|]
|
||||
|
||||
buttonW :: StdMethod -> Text -> Route site -> WidgetT site IO ()
|
||||
buttonW method content route = do
|
||||
let tokenKey = defaultCsrfParamName
|
||||
mtoken <- reqToken <$> getRequest
|
||||
[whamlet|
|
||||
<form method=POST action=@{route}>
|
||||
<input type=hidden name=_method value=#{show method}>
|
||||
$maybe n <- mtoken
|
||||
<input type=hidden name=#{tokenKey} value=#{n}>
|
||||
<input type=submit value="#{content}">
|
||||
|]
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -13,9 +13,7 @@ $# with this software. If not, see
|
|||
$# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
||||
|
||||
<p>
|
||||
<form method=POST action=@{KeyR tag}>
|
||||
<input type=hidden name=_method value=DELETE>
|
||||
<input type=submit value="Delete this key">
|
||||
^{buttonW DELETE "Delete this key" (KeyR tag)}
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -13,9 +13,7 @@ $# with this software. If not, see
|
|||
$# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
||||
|
||||
<div>
|
||||
<form method=POST action=@{ProjectRoleR shr rl}>
|
||||
<input type=hidden name=_method value=DELETE>
|
||||
<input type=submit value="Delete this role">
|
||||
^{buttonW DELETE "Delete this role" (ProjectRoleR shr rl)}
|
||||
|
||||
<p>
|
||||
<a href=@{ProjectRoleOpsR shr rl}>Operations
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -13,9 +13,7 @@ $# with this software. If not, see
|
|||
$# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
||||
|
||||
<div>
|
||||
<form method=POST action=@{RepoRoleR shr rl}>
|
||||
<input type=hidden name=_method value=DELETE>
|
||||
<input type=submit value="Delete this role">
|
||||
^{buttonW DELETE "Delete this role" (RepoRoleR shr rl)}
|
||||
|
||||
<p>
|
||||
<a href=@{RepoRoleOpsR shr rl}>Operations
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -16,9 +16,7 @@ $maybe desc <- repoDesc repository
|
|||
<p>#{desc}
|
||||
|
||||
<p>
|
||||
<form method=POST action=@{RepoR user repo}>
|
||||
<input type=hidden name=_method value=DELETE>
|
||||
<input type=submit value="Delete this repo">
|
||||
^{buttonW DELETE "Delete this repo" (RepoR user repo)}
|
||||
|
||||
<p>
|
||||
<a href=@{RepoDevsR user repo}>Collaborators
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -16,9 +16,7 @@ $maybe desc <- repoDesc repository
|
|||
<p>#{desc}
|
||||
|
||||
<p>
|
||||
<form method=POST action=@{RepoR user repo}>
|
||||
<input type=hidden name=_method value=DELETE>
|
||||
<input type=submit value="Delete this repo">
|
||||
^{buttonW DELETE "Delete this repo" (RepoR user repo)}
|
||||
|
||||
<p>
|
||||
<a href=@{RepoDevsR user repo}>Collaborators
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -32,9 +32,7 @@ $# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
|||
#{show status}
|
||||
$if forward
|
||||
<td>
|
||||
<form method=POST action=@{TicketDepR shr prj num number}>
|
||||
<input type=hidden name=_method value=DELETE>
|
||||
<input type=submit value="Remove">
|
||||
^{buttonW DELETE "Remove" (TicketDepR shr prj num number)}
|
||||
|
||||
$if forward
|
||||
<p>
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -15,9 +15,7 @@ $# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
|||
<p>
|
||||
<a href=@{TicketEditR shar proj num}>Edit this ticket
|
||||
<p>
|
||||
<form method=POST action=@{TicketR shar proj num}>
|
||||
<input type=hidden name=_method value=DELETE>
|
||||
<input type=submit value="Delete this ticket">
|
||||
^{buttonW DELETE "Delete this ticket" (TicketR shar proj num)}
|
||||
|
||||
<p>
|
||||
Depended by:
|
||||
|
|
@ -51,13 +49,11 @@ $if ticketStatus ticket /= TSClosed
|
|||
$if me
|
||||
Assigned to you.
|
||||
|
||||
<form method=POST action=@{TicketUnclaimR shar proj num}>
|
||||
<input type=submit value="Unclaim this ticket">
|
||||
^{buttonW POST "Unclaim this ticket" (TicketUnclaimR shar proj num)}
|
||||
$else
|
||||
Assigned to ^{personLinkW assignee}.
|
||||
|
||||
<form method=POST action=@{TicketUnassignR shar proj num}>
|
||||
<input type=submit value="Unassign this ticket">
|
||||
^{buttonW POST "Unassign this ticket" (TicketUnassignR shar proj num)}
|
||||
$nothing
|
||||
Not assigned.
|
||||
|
||||
|
|
@ -65,8 +61,7 @@ $if ticketStatus ticket /= TSClosed
|
|||
|
||||
or
|
||||
|
||||
<form method=POST action=@{TicketClaimR shar proj num}>
|
||||
<input type=submit value="Claim this ticket">
|
||||
^{buttonW POST "Claim this ticket" (TicketClaimR shar proj num)}
|
||||
|
||||
or
|
||||
|
||||
|
|
@ -88,21 +83,17 @@ $if ticketStatus ticket /= TSClosed
|
|||
$of TSNew
|
||||
Open, new.
|
||||
|
||||
<form method=POST action=@{TicketAcceptR shar proj num}>
|
||||
<input type=submit value="Accept this ticket">
|
||||
<form method=POST action=@{TicketCloseR shar proj num}>
|
||||
<input type=submit value="Close this ticket">
|
||||
^{buttonW POST "Accept this ticket" (TicketAcceptR shar proj num)}
|
||||
^{buttonW POST "Close this ticket" (TicketCloseR shar proj num)}
|
||||
$of TSTodo
|
||||
Open, to do.
|
||||
|
||||
<form method=POST action=@{TicketCloseR shar proj num}>
|
||||
<input type=submit value="Close this ticket">
|
||||
^{buttonW POST "Close this ticket" (TicketCloseR shar proj num)}
|
||||
$of TSClosed
|
||||
Closed on #{showDate $ ticketClosed ticket} by
|
||||
^{personLinkW closer}.
|
||||
|
||||
<form method=POST action=@{TicketOpenR shar proj num}>
|
||||
<input type=submit value="Reopen this ticket">
|
||||
^{buttonW POST "Reopen this ticket" (TicketOpenR shar proj num)}
|
||||
|
||||
<h2>#{ticketTitle ticket}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -25,9 +25,5 @@ $# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
|||
<div>
|
||||
#{fromMaybe "(none)" $ workflowFieldEnumCtorDesc c}
|
||||
<div>
|
||||
<form method="POST" action=@{WorkflowEnumCtorR shr wfl enm name}>
|
||||
<input type="hidden" name="_method" value="PUT">
|
||||
<input type="submit" value="Edit this ctor">
|
||||
<form method="POST" action=@{WorkflowEnumCtorR shr wfl enm name}>
|
||||
<input type="hidden" name="_method" value="DELETE">
|
||||
<input type="submit" value="Delete this ctor">
|
||||
^{buttonW PUT "Edit this ctor" (WorkflowEnumCtorR shr wfl enm name)}
|
||||
^{buttonW DELETE "Delete this ctor" (WorkflowEnumCtorR shr wfl enm name)}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -13,9 +13,7 @@ $# with this software. If not, see
|
|||
$# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
||||
|
||||
<p>
|
||||
<form method="POST" action=@{WorkflowEnumR shr wfl enm}>
|
||||
<input type="hidden" name="_method" value="DELETE">
|
||||
<input type="submit" value="Delete this enum">
|
||||
^{buttonW DELETE "Delete this enum" (WorkflowEnumR shr wfl enm)}
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -13,9 +13,7 @@ $# with this software. If not, see
|
|||
$# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
||||
|
||||
<p>
|
||||
<form method="POST" action=@{WorkflowFieldR shr wfl fld}>
|
||||
<input type="hidden" name="_method" value="DELETE">
|
||||
<input type="submit" value="Delete this field">
|
||||
^{buttonW DELETE "Delete this field" (WorkflowFieldR shr wfl fld)}
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
$# This file is part of Vervis.
|
||||
$#
|
||||
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
|
||||
$#
|
||||
$# ♡ Copying is an act of love. Please copy, reuse and share.
|
||||
$#
|
||||
|
|
@ -13,9 +13,7 @@ $# with this software. If not, see
|
|||
$# <http://creativecommons.org/publicdomain/zero/1.0/>.
|
||||
|
||||
<p>
|
||||
<form method="POST" action=@{WorkflowR shr wfl}>
|
||||
<input type="hidden" name="_method" value="DELETE">
|
||||
<input type="submit" value="Delete this workflow">
|
||||
^{buttonW DELETE "Delete this workflow" (WorkflowR shr wfl)}
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
|
|
|
|||
Loading…
Reference in a new issue