Add CSRF token to all buttons through a new buttonW widget

This commit is contained in:
fr33domlover 2018-07-11 08:15:19 +00:00
parent 7fdc7e703d
commit cf3f8fb8f6
18 changed files with 60 additions and 65 deletions

View file

@ -1,6 +1,6 @@
{- This file is part of Vervis. {- This file is part of Vervis.
- -
- Written in 2016 by fr33domlover <fr33domlover@riseup.net>. - Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
- -
- Copying is an act of love. Please copy, reuse and share. - Copying is an act of love. Please copy, reuse and share.
- -
@ -31,6 +31,7 @@ import Data.Text (Text, intercalate)
import Data.Text.Encoding (decodeUtf8With) import Data.Text.Encoding (decodeUtf8With)
import Data.Text.Encoding.Error (lenientDecode) import Data.Text.Encoding.Error (lenientDecode)
import Database.Persist import Database.Persist
import Network.HTTP.Types (StdMethod (DELETE))
import Text.Blaze.Html (Html, toHtml) import Text.Blaze.Html (Html, toHtml)
import Yesod.Auth (requireAuthId) import Yesod.Auth (requireAuthId)
import Yesod.Core (defaultLayout) import Yesod.Core (defaultLayout)
@ -45,6 +46,7 @@ import Vervis.Foundation
import Vervis.Model import Vervis.Model
import Vervis.Model.Ident import Vervis.Model.Ident
import Vervis.Settings import Vervis.Settings
import Vervis.Widget (buttonW)
getKeysR :: Handler Html getKeysR :: Handler Html
getKeysR = do getKeysR = do

View file

@ -32,6 +32,7 @@ import Data.Text.Encoding (decodeUtf8With)
import Data.Text.Encoding.Error (lenientDecode) import Data.Text.Encoding.Error (lenientDecode)
import Data.Traversable (for) import Data.Traversable (for)
import Database.Esqueleto import Database.Esqueleto
import Network.HTTP.Types (StdMethod (DELETE))
import System.FilePath ((</>), joinPath) import System.FilePath ((</>), joinPath)
import System.Directory (doesFileExist) import System.Directory (doesFileExist)
import Text.Blaze.Html (Html) import Text.Blaze.Html (Html)
@ -65,6 +66,7 @@ import Vervis.Settings
import Vervis.SourceTree import Vervis.SourceTree
import Vervis.Style import Vervis.Style
import Vervis.Time import Vervis.Time
import Vervis.Widget (buttonW)
import Vervis.Widget.Repo import Vervis.Widget.Repo
import Vervis.Widget.Sharer import Vervis.Widget.Sharer

View file

@ -42,6 +42,7 @@ import Data.Text.Encoding.Error (lenientDecode)
import Data.Traversable (for) import Data.Traversable (for)
import Database.Esqueleto import Database.Esqueleto
import Data.Hourglass (timeConvert) import Data.Hourglass (timeConvert)
import Network.HTTP.Types (StdMethod (DELETE))
import System.Directory (createDirectoryIfMissing) import System.Directory (createDirectoryIfMissing)
import System.Hourglass (dateCurrent) import System.Hourglass (dateCurrent)
import Text.Blaze.Html (Html) import Text.Blaze.Html (Html)
@ -75,6 +76,7 @@ import Vervis.Settings
import Vervis.SourceTree import Vervis.SourceTree
import Vervis.Style import Vervis.Style
import Vervis.Time (showDate) import Vervis.Time (showDate)
import Vervis.Widget (buttonW)
import Vervis.Widget.Repo import Vervis.Widget.Repo
import Vervis.Widget.Sharer (personLinkW) import Vervis.Widget.Sharer (personLinkW)

View file

@ -1,6 +1,6 @@
{- This file is part of Vervis. {- This file is part of Vervis.
- -
- Written in 2016 by fr33domlover <fr33domlover@riseup.net>. - Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
- -
- Copying is an act of love. Please copy, reuse and share. - Copying is an act of love. Please copy, reuse and share.
- -
@ -38,6 +38,7 @@ where
import Prelude import Prelude
import Database.Persist import Database.Persist
import Network.HTTP.Types (StdMethod (DELETE))
import Text.Blaze.Html (Html) import Text.Blaze.Html (Html)
import Yesod.Auth (requireAuthId) import Yesod.Auth (requireAuthId)
import Yesod.Core (defaultLayout, setMessage) import Yesod.Core (defaultLayout, setMessage)
@ -52,6 +53,7 @@ import Vervis.Model
import Vervis.Model.Ident (ShrIdent, RlIdent, rl2text) import Vervis.Model.Ident (ShrIdent, RlIdent, rl2text)
import Vervis.Role import Vervis.Role
import Vervis.Settings (widgetFile) import Vervis.Settings (widgetFile)
import Vervis.Widget (buttonW)
import Vervis.Widget.Role import Vervis.Widget.Role
getRepoRolesR :: ShrIdent -> Handler Html getRepoRolesR :: ShrIdent -> Handler Html

View file

@ -68,6 +68,7 @@ import Data.Time.Format (formatTime, defaultTimeLocale)
import Data.Traversable (for) import Data.Traversable (for)
import Database.Esqueleto hiding ((=.), (+=.), update, delete) import Database.Esqueleto hiding ((=.), (+=.), update, delete)
import Database.Persist hiding ((==.)) import Database.Persist hiding ((==.))
import Network.HTTP.Types (StdMethod (DELETE, POST))
import Text.Blaze.Html (Html, toHtml) import Text.Blaze.Html (Html, toHtml)
import Yesod.Auth (requireAuthId, maybeAuthId) import Yesod.Auth (requireAuthId, maybeAuthId)
import Yesod.Core (defaultLayout) import Yesod.Core (defaultLayout)
@ -96,6 +97,7 @@ import Vervis.Style
import Vervis.Ticket import Vervis.Ticket
import Vervis.TicketFilter (filterTickets) import Vervis.TicketFilter (filterTickets)
import Vervis.Time (showDate) import Vervis.Time (showDate)
import Vervis.Widget (buttonW)
import Vervis.Widget.Discussion (discussionW) import Vervis.Widget.Discussion (discussionW)
import Vervis.Widget.Sharer (personLinkW) import Vervis.Widget.Sharer (personLinkW)
import Vervis.Widget.Ticket import Vervis.Widget.Ticket

View file

@ -1,6 +1,6 @@
{- This file is part of Vervis. {- This file is part of Vervis.
- -
- Written in 2016 by fr33domlover <fr33domlover@riseup.net>. - Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
- -
- Copying is an act of love. Please copy, reuse and share. - Copying is an act of love. Please copy, reuse and share.
- -
@ -50,6 +50,7 @@ import Prelude
import Data.Maybe (fromMaybe) import Data.Maybe (fromMaybe)
import Data.Text (Text) import Data.Text (Text)
import Database.Persist import Database.Persist
import Network.HTTP.Types (StdMethod (DELETE, PUT))
import Text.Blaze.Html (Html) import Text.Blaze.Html (Html)
import Yesod.Auth (requireAuthId) import Yesod.Auth (requireAuthId)
import Yesod.Core (defaultLayout) import Yesod.Core (defaultLayout)
@ -64,6 +65,7 @@ import Vervis.Model
import Vervis.Model.Ident import Vervis.Model.Ident
import Vervis.Model.Workflow import Vervis.Model.Workflow
import Vervis.Settings import Vervis.Settings
import Vervis.Widget (buttonW)
import Vervis.Widget.Sharer import Vervis.Widget.Sharer
------------------------------------------------------------------------------- -------------------------------------------------------------------------------

View file

@ -18,6 +18,7 @@ module Vervis.Widget
( breadcrumbsW ( breadcrumbsW
, revisionW , revisionW
, avatarW , avatarW
, buttonW
) )
where where
@ -28,7 +29,8 @@ import Data.Time.Calendar (toGregorian)
import Data.Time.Clock (UTCTime (..)) import Data.Time.Clock (UTCTime (..))
import Development.Darcs.Rev import Development.Darcs.Rev
import Formatting (sformat, (%), int, left) import Formatting (sformat, (%), int, left)
import Yesod.Core (YesodBreadcrumbs, breadcrumbs) import Network.HTTP.Types (StdMethod)
import Yesod.Core
import Yesod.Core.Widget import Yesod.Core.Widget
import qualified Data.Text as T (take) import qualified Data.Text as T (take)
@ -62,3 +64,15 @@ avatarW secure email = do
$nothing $nothing
<p>INVALID EMAIL <p>INVALID EMAIL
|] |]
buttonW :: StdMethod -> Text -> Route site -> WidgetT site IO ()
buttonW method content route = do
let tokenKey = defaultCsrfParamName
mtoken <- reqToken <$> getRequest
[whamlet|
<form method=POST action=@{route}>
<input type=hidden name=_method value=#{show method}>
$maybe n <- mtoken
<input type=hidden name=#{tokenKey} value=#{n}>
<input type=submit value="#{content}">
|]

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -13,9 +13,7 @@ $# with this software. If not, see
$# <http://creativecommons.org/publicdomain/zero/1.0/>. $# <http://creativecommons.org/publicdomain/zero/1.0/>.
<p> <p>
<form method=POST action=@{KeyR tag}> ^{buttonW DELETE "Delete this key" (KeyR tag)}
<input type=hidden name=_method value=DELETE>
<input type=submit value="Delete this key">
<table> <table>
<tr> <tr>

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -13,9 +13,7 @@ $# with this software. If not, see
$# <http://creativecommons.org/publicdomain/zero/1.0/>. $# <http://creativecommons.org/publicdomain/zero/1.0/>.
<div> <div>
<form method=POST action=@{ProjectRoleR shr rl}> ^{buttonW DELETE "Delete this role" (ProjectRoleR shr rl)}
<input type=hidden name=_method value=DELETE>
<input type=submit value="Delete this role">
<p> <p>
<a href=@{ProjectRoleOpsR shr rl}>Operations <a href=@{ProjectRoleOpsR shr rl}>Operations

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -13,9 +13,7 @@ $# with this software. If not, see
$# <http://creativecommons.org/publicdomain/zero/1.0/>. $# <http://creativecommons.org/publicdomain/zero/1.0/>.
<div> <div>
<form method=POST action=@{RepoRoleR shr rl}> ^{buttonW DELETE "Delete this role" (RepoRoleR shr rl)}
<input type=hidden name=_method value=DELETE>
<input type=submit value="Delete this role">
<p> <p>
<a href=@{RepoRoleOpsR shr rl}>Operations <a href=@{RepoRoleOpsR shr rl}>Operations

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -16,9 +16,7 @@ $maybe desc <- repoDesc repository
<p>#{desc} <p>#{desc}
<p> <p>
<form method=POST action=@{RepoR user repo}> ^{buttonW DELETE "Delete this repo" (RepoR user repo)}
<input type=hidden name=_method value=DELETE>
<input type=submit value="Delete this repo">
<p> <p>
<a href=@{RepoDevsR user repo}>Collaborators <a href=@{RepoDevsR user repo}>Collaborators

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -16,9 +16,7 @@ $maybe desc <- repoDesc repository
<p>#{desc} <p>#{desc}
<p> <p>
<form method=POST action=@{RepoR user repo}> ^{buttonW DELETE "Delete this repo" (RepoR user repo)}
<input type=hidden name=_method value=DELETE>
<input type=submit value="Delete this repo">
<p> <p>
<a href=@{RepoDevsR user repo}>Collaborators <a href=@{RepoDevsR user repo}>Collaborators

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -32,9 +32,7 @@ $# <http://creativecommons.org/publicdomain/zero/1.0/>.
#{show status} #{show status}
$if forward $if forward
<td> <td>
<form method=POST action=@{TicketDepR shr prj num number}> ^{buttonW DELETE "Remove" (TicketDepR shr prj num number)}
<input type=hidden name=_method value=DELETE>
<input type=submit value="Remove">
$if forward $if forward
<p> <p>

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -15,9 +15,7 @@ $# <http://creativecommons.org/publicdomain/zero/1.0/>.
<p> <p>
<a href=@{TicketEditR shar proj num}>Edit this ticket <a href=@{TicketEditR shar proj num}>Edit this ticket
<p> <p>
<form method=POST action=@{TicketR shar proj num}> ^{buttonW DELETE "Delete this ticket" (TicketR shar proj num)}
<input type=hidden name=_method value=DELETE>
<input type=submit value="Delete this ticket">
<p> <p>
Depended by: Depended by:
@ -51,13 +49,11 @@ $if ticketStatus ticket /= TSClosed
$if me $if me
Assigned to you. Assigned to you.
<form method=POST action=@{TicketUnclaimR shar proj num}> ^{buttonW POST "Unclaim this ticket" (TicketUnclaimR shar proj num)}
<input type=submit value="Unclaim this ticket">
$else $else
Assigned to ^{personLinkW assignee}. Assigned to ^{personLinkW assignee}.
<form method=POST action=@{TicketUnassignR shar proj num}> ^{buttonW POST "Unassign this ticket" (TicketUnassignR shar proj num)}
<input type=submit value="Unassign this ticket">
$nothing $nothing
Not assigned. Not assigned.
@ -65,8 +61,7 @@ $if ticketStatus ticket /= TSClosed
or or
<form method=POST action=@{TicketClaimR shar proj num}> ^{buttonW POST "Claim this ticket" (TicketClaimR shar proj num)}
<input type=submit value="Claim this ticket">
or or
@ -88,21 +83,17 @@ $if ticketStatus ticket /= TSClosed
$of TSNew $of TSNew
Open, new. Open, new.
<form method=POST action=@{TicketAcceptR shar proj num}> ^{buttonW POST "Accept this ticket" (TicketAcceptR shar proj num)}
<input type=submit value="Accept this ticket"> ^{buttonW POST "Close this ticket" (TicketCloseR shar proj num)}
<form method=POST action=@{TicketCloseR shar proj num}>
<input type=submit value="Close this ticket">
$of TSTodo $of TSTodo
Open, to do. Open, to do.
<form method=POST action=@{TicketCloseR shar proj num}> ^{buttonW POST "Close this ticket" (TicketCloseR shar proj num)}
<input type=submit value="Close this ticket">
$of TSClosed $of TSClosed
Closed on #{showDate $ ticketClosed ticket} by Closed on #{showDate $ ticketClosed ticket} by
^{personLinkW closer}. ^{personLinkW closer}.
<form method=POST action=@{TicketOpenR shar proj num}> ^{buttonW POST "Reopen this ticket" (TicketOpenR shar proj num)}
<input type=submit value="Reopen this ticket">
<h2>#{ticketTitle ticket} <h2>#{ticketTitle ticket}

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -25,9 +25,5 @@ $# <http://creativecommons.org/publicdomain/zero/1.0/>.
<div> <div>
#{fromMaybe "(none)" $ workflowFieldEnumCtorDesc c} #{fromMaybe "(none)" $ workflowFieldEnumCtorDesc c}
<div> <div>
<form method="POST" action=@{WorkflowEnumCtorR shr wfl enm name}> ^{buttonW PUT "Edit this ctor" (WorkflowEnumCtorR shr wfl enm name)}
<input type="hidden" name="_method" value="PUT"> ^{buttonW DELETE "Delete this ctor" (WorkflowEnumCtorR shr wfl enm name)}
<input type="submit" value="Edit this ctor">
<form method="POST" action=@{WorkflowEnumCtorR shr wfl enm name}>
<input type="hidden" name="_method" value="DELETE">
<input type="submit" value="Delete this ctor">

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -13,9 +13,7 @@ $# with this software. If not, see
$# <http://creativecommons.org/publicdomain/zero/1.0/>. $# <http://creativecommons.org/publicdomain/zero/1.0/>.
<p> <p>
<form method="POST" action=@{WorkflowEnumR shr wfl enm}> ^{buttonW DELETE "Delete this enum" (WorkflowEnumR shr wfl enm)}
<input type="hidden" name="_method" value="DELETE">
<input type="submit" value="Delete this enum">
<ul> <ul>
<li> <li>

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -13,9 +13,7 @@ $# with this software. If not, see
$# <http://creativecommons.org/publicdomain/zero/1.0/>. $# <http://creativecommons.org/publicdomain/zero/1.0/>.
<p> <p>
<form method="POST" action=@{WorkflowFieldR shr wfl fld}> ^{buttonW DELETE "Delete this field" (WorkflowFieldR shr wfl fld)}
<input type="hidden" name="_method" value="DELETE">
<input type="submit" value="Delete this field">
<ul> <ul>
<li> <li>

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -13,9 +13,7 @@ $# with this software. If not, see
$# <http://creativecommons.org/publicdomain/zero/1.0/>. $# <http://creativecommons.org/publicdomain/zero/1.0/>.
<p> <p>
<form method="POST" action=@{WorkflowR shr wfl}> ^{buttonW DELETE "Delete this workflow" (WorkflowR shr wfl)}
<input type="hidden" name="_method" value="DELETE">
<input type="submit" value="Delete this workflow">
<ul> <ul>
<li> <li>