changeset 5488:b0dfed9a569f

merged moin/1.8
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Wed, 03 Feb 2010 13:44:22 +0100
parents 686b698d48ee (current diff) 91aa8c3c515b (diff)
children ca71e01d845b
files MoinMoin/action/newaccount.py MoinMoin/action/userprofile.py MoinMoin/userform/admin.py MoinMoin/userprefs/notification.py
diffstat 4 files changed, 24 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/newaccount.py	Wed Feb 03 02:19:45 2010 +0100
+++ b/MoinMoin/action/newaccount.py	Wed Feb 03 13:44:22 2010 +0100
@@ -20,6 +20,9 @@
     if request.method != 'POST':
         return
 
+    if not wikiutil.checkTicket(request, form.get('ticket', '')):
+        return
+
     if not TextCha(request).check_answer_from_form():
         return _('TextCha: Wrong answer! Go back and try again...')
 
@@ -90,6 +93,10 @@
     url = request.page.url(request)
     ret = html.FORM(action=url)
     ret.append(html.INPUT(type='hidden', name='action', value='newaccount'))
+
+    ticket = wikiutil.createTicket(request)
+    ret.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
+
     lang_attr = request.theme.ui_lang_attr()
     ret.append(html.Raw('<div class="userpref"%s>' % lang_attr))
     tbl = html.TABLE(border="0")
--- a/MoinMoin/action/userprofile.py	Wed Feb 03 02:19:45 2010 +0100
+++ b/MoinMoin/action/userprofile.py	Wed Feb 03 13:44:22 2010 +0100
@@ -6,7 +6,7 @@
     @license: GNU GPL, see COPYING for details.
 """
 from MoinMoin.Page import Page
-from MoinMoin import user
+from MoinMoin import user, wikiutil
 
 def execute(pagename, request):
     """ set values in user profile """
@@ -16,7 +16,8 @@
 
     if not request.user.isSuperUser():
         request.theme.add_msg(_("Only superuser is allowed to use this action."), "error")
-    else:
+    elif (request.method == 'POST' and
+          wikiutil.checkTicket(request, form.get('ticket', ''))):
         user_name = form.get('name', '')
         key = form.get('key', '')
         val = form.get('val', '')
--- a/MoinMoin/userform/admin.py	Wed Feb 03 02:19:45 2010 +0100
+++ b/MoinMoin/userform/admin.py	Wed Feb 03 13:44:22 2010 +0100
@@ -61,6 +61,8 @@
         url = request.page.url(request)
         ret = html.FORM(action=url)
         ret.append(html.INPUT(type='hidden', name='action', value='userprofile'))
+        ticket = wikiutil.createTicket(request, action='userprofile')
+        ret.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
         ret.append(html.INPUT(type='hidden', name='name', value=account.name))
         ret.append(html.INPUT(type='hidden', name='key', value="disabled"))
         ret.append(html.INPUT(type='hidden', name='val', value=val))
--- a/MoinMoin/userprefs/notification.py	Wed Feb 03 02:19:45 2010 +0100
+++ b/MoinMoin/userprefs/notification.py	Wed Feb 03 13:44:22 2010 +0100
@@ -8,7 +8,7 @@
     @license: GNU GPL, see COPYING for details.
 """
 
-from MoinMoin import events
+from MoinMoin import events, wikiutil
 from MoinMoin.widget import html
 from MoinMoin.userprefs import UserPrefBase
 
@@ -46,8 +46,6 @@
         _ = self._
         form = self.request.form
 
-        if self.request.method != 'POST':
-            return
         theuser = self.request.user
         if not theuser:
             return
@@ -76,11 +74,18 @@
 
     def handle_form(self):
         _ = self._
-        form = self.request.form
+        request = self.request
+        form = request.form
 
         if form.has_key('cancel'):
             return
 
+        if request.method != 'POST':
+            return
+
+        if not wikiutil.checkTicket(request, form.get('ticket', '')):
+            return
+
         if form.has_key('save'): # Save user profile
             return self._save_notification_settings()
 
@@ -138,6 +143,9 @@
         self._form.append(html.INPUT(type="hidden", name="action", value="userprefs"))
         self._form.append(html.INPUT(type="hidden", name="handler", value="prefs"))
 
+        ticket = wikiutil.createTicket(self.request)
+        self._form.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
+
         if (not (self.cfg.mail_enabled and self.request.user.email)
             and not (self.cfg.jabber_enabled and self.request.user.jid)):
             self.make_row('', [html.Text(