changeset 5471:d09832475f04

add ticket to userprefs settings
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Tue, 02 Feb 2010 13:30:25 +0100
parents 8186aa2c7c9f
children cded5f776bc1
files MoinMoin/userprefs/prefs.py
diffstat 1 files changed, 11 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/userprefs/prefs.py	Sun Jan 31 23:23:59 2010 +0100
+++ b/MoinMoin/userprefs/prefs.py	Tue Feb 02 13:30:25 2010 +0100
@@ -60,9 +60,6 @@
         form = self.request.form
         request = self.request
 
-        if request.method != 'POST':
-            return
-
         if not 'name' in request.user.auth_attribs:
             # Require non-empty name
             new_name = form.get('name', request.user.name)
@@ -221,12 +218,18 @@
 
 
     def handle_form(self):
-        _ = self._
-        form = self.request.form
+        request = self.request
+        form = request.form
 
         if 'cancel' in form:
             return
 
+        if request.method != 'POST':
+            return
+
+        if not wikiutil.checkTicket(request, form['ticket']):
+            return
+
         if 'save' in form: # Save user profile
             return self._save_user_prefs()
 
@@ -390,6 +393,9 @@
             self._form.append(html.INPUT(type="hidden", name="action", value="userprefs"))
             self._form.append(html.INPUT(type="hidden", name="handler", value="prefs"))
 
+            ticket = wikiutil.createTicket(request)
+            self._form.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
+
         # Add buttons
         button_cell = []
         for name, label in buttons: