From: Frédéric Péters <fpeters@0d.be>
Date: Thu, 4 Jun 2020 13:48:19 +0000 (+0200)
Subject: enable csrf for live-edit post
X-Git-Tag: v2022~33
X-Git-Url: https://git.0d.be/?p=chloro.git;a=commitdiff_plain;h=4c9d14f02af670cc51c5314248fd1101c5725e05

enable csrf for live-edit post
---

diff --git a/chloro/phyll/static/js/chloro.js b/chloro/phyll/static/js/chloro.js
index 066c573..78930c3 100644
--- a/chloro/phyll/static/js/chloro.js
+++ b/chloro/phyll/static/js/chloro.js
@@ -20,7 +20,10 @@ $(function() {
 
   $('#save').on('click', function() {
     var text = $('div[contenteditable]')[0].innerHTML;
-    $.post('api-save/', {text: text}).fail(function() {
+    var csrf = $('[name=csrfmiddlewaretoken]').val();
+    $.post('api-save/',
+      { text: text, csrfmiddlewaretoken: csrf}
+    ).fail(function() {
       $('#save').css('background', 'red');
     });
     return false;
diff --git a/chloro/phyll/templates/phyll/note_detail.html b/chloro/phyll/templates/phyll/note_detail.html
index d0b9bc3..06966f4 100644
--- a/chloro/phyll/templates/phyll/note_detail.html
+++ b/chloro/phyll/templates/phyll/note_detail.html
@@ -8,7 +8,9 @@
 <div>
 <h2>{{ object.title }}</h2>
 <div {% if request.user.is_staff %}contenteditable="true"{% endif %}>{{ object.text|safe }}</div>
-{% if request.user.is_staff %}<button id="save">{% trans "Save" %}</button>{% endif %}
+{% if request.user.is_staff %}
+{% csrf_token %}<button id="save">{% trans "Save" %}</button>
+{% endif %}
 
 <div class="meta">{{ object.creation_timestamp|date:"j E Y, H:i"|lower }}</div>
 </div>
diff --git a/chloro/phyll/views.py b/chloro/phyll/views.py
index 108a8ea..a03c93f 100644
--- a/chloro/phyll/views.py
+++ b/chloro/phyll/views.py
@@ -22,7 +22,6 @@ from django.core.exceptions import PermissionDenied
 from django.http import HttpResponse, Http404
 from django.utils.feedgenerator import Atom1Feed
 from django.views import View
-from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import CreateView, DeleteView, DetailView, ListView, UpdateView, TemplateView
 
 from .models import Note
@@ -55,10 +54,6 @@ class NoteEditView(UpdateView):
 class NoteApiSaveView(View):
     http_method_names = ['post']
 
-    @csrf_exempt
-    def dispatch(self, *args, **kwargs):
-        return super().dispatch(*args, **kwargs)
-
     def post(self, request, *args, **kwargs):
         note = Note.objects.get(slug=kwargs['slug'])
         note.text = request.POST['text']