changeset 5485:9faee4b754c0

userprefs notifications: add ticket
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Wed, 03 Feb 2010 13:20:56 +0100
parents 7f5b3389a7e1
children a283079b3f1e
files MoinMoin/userprefs/notification.py
diffstat 1 files changed, 12 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/userprefs/notification.py	Wed Feb 03 13:10:53 2010 +0100
+++ b/MoinMoin/userprefs/notification.py	Wed Feb 03 13:20:56 2010 +0100
@@ -8,7 +8,7 @@
     @license: GNU GPL, see COPYING for details.
 """
 
-from MoinMoin import events
+from MoinMoin import events, wikiutil
 from MoinMoin.widget import html
 from MoinMoin.userprefs import UserPrefBase
 
@@ -46,8 +46,6 @@
         _ = self._
         form = self.request.form
 
-        if self.request.request_method != 'POST':
-            return
         theuser = self.request.user
         if not theuser:
             return
@@ -76,11 +74,18 @@
 
     def handle_form(self):
         _ = self._
-        form = self.request.form
+        request = self.request
+        form = request.form
 
         if form.has_key('cancel'):
             return
 
+        if request.request_method != 'POST':
+            return
+
+        if not wikiutil.checkTicket(request, form.get('ticket', [''])[0]):
+            return
+
         if form.has_key('save'): # Save user profile
             return self._save_notification_settings()
 
@@ -138,6 +143,9 @@
         self._form.append(html.INPUT(type="hidden", name="action", value="userprefs"))
         self._form.append(html.INPUT(type="hidden", name="handler", value="prefs"))
 
+        ticket = wikiutil.createTicket(self.request)
+        self._form.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
+
         if (not (self.cfg.mail_enabled and self.request.user.email)
             and not (self.cfg.jabber_enabled and self.request.user.jid)):
             self.make_row('', [html.Text(