changeset 5486:a283079b3f1e

userprofile action: add ticket
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Wed, 03 Feb 2010 13:35:28 +0100
parents 9faee4b754c0
children 91aa8c3c515b 478dfec03a09
files MoinMoin/action/userprofile.py MoinMoin/userform/admin.py
diffstat 2 files changed, 5 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/userprofile.py	Wed Feb 03 13:20:56 2010 +0100
+++ b/MoinMoin/action/userprofile.py	Wed Feb 03 13:35:28 2010 +0100
@@ -6,7 +6,7 @@
     @license: GNU GPL, see COPYING for details.
 """
 from MoinMoin.Page import Page
-from MoinMoin import user
+from MoinMoin import user, wikiutil
 
 def execute(pagename, request):
     """ set values in user profile """
@@ -16,7 +16,8 @@
 
     if not request.user.isSuperUser():
         request.theme.add_msg(_("Only superuser is allowed to use this action."), "error")
-    else:
+    elif (request.request_method == 'POST' and
+          wikiutil.checkTicket(request, form.get('ticket', [''])[0])):
         user_name = form.get('name', [''])[0]
         key = form.get('key', [''])[0]
         val = form.get('val', [''])[0]
--- a/MoinMoin/userform/admin.py	Wed Feb 03 13:20:56 2010 +0100
+++ b/MoinMoin/userform/admin.py	Wed Feb 03 13:35:28 2010 +0100
@@ -53,6 +53,8 @@
         url = request.page.url(request)
         ret = html.FORM(action=url)
         ret.append(html.INPUT(type='hidden', name='action', value='userprofile'))
+        ticket = wikiutil.createTicket(request, action='userprofile')
+        ret.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
         ret.append(html.INPUT(type='hidden', name='name', value=account.name))
         ret.append(html.INPUT(type='hidden', name='key', value="disabled"))
         ret.append(html.INPUT(type='hidden', name='val', value=val))