Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
enabled csrf protection globally and added support for ajaxed requests.
  • Loading branch information
@proost
proost committed Oct 27, 2017
1 parent 7785b52 commit 286a02a
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 2 deletions.
5 changes: 4 additions & 1 deletion conekt/app.py
View file
Expand Up @@ -18,7 +18,7 @@
from flask_login import current_user
from flask_admin import Admin

from conekt.extensions import toolbar, db, login_manager, cache, htmlmin, blast_thread, compress, whooshee, migrate
from conekt.extensions import toolbar, db, login_manager, cache, htmlmin, blast_thread, compress, whooshee, migrate,csrf


def create_app(config):
Expand Down Expand Up @@ -57,6 +57,9 @@ def configure_extensions(app):
# Enable HTMLMIN
htmlmin.init_app(app)

# Enable CSRF Protect globally
csrf.init_app(app)

# Enable DebugToolBar
toolbar.init_app(app)

Expand Down
4 changes: 3 additions & 1 deletion conekt/extensions.py
View file
Expand Up @@ -8,14 +8,15 @@
from flask_sqlalchemy import SQLAlchemy
from flask_whooshee import Whooshee
from flask_migrate import Migrate
from flask_wtf.csrf import CSRFProtect

from sqlalchemy.engine import Engine
from sqlalchemy import event
from sqlite3 import Connection as SQLite3Connection

from conekt.flask_blast import BlastThread

__all__ = ['db', 'login_manager', 'cache', 'htmlmin', 'blast_thread', 'compress', 'whooshee', 'migrate']
__all__ = ['db', 'login_manager', 'cache', 'htmlmin', 'blast_thread', 'compress', 'whooshee', 'migrate', 'csrf']

db = SQLAlchemy()

Expand Down Expand Up @@ -57,3 +58,4 @@ def set_sqlite_pragma(dbapi_connection, connection_record):
compress = Compress()
whooshee = Whooshee()
migrate = Migrate()
csrf = CSRFProtect()
11 changes: 11 additions & 0 deletions conekt/templates/base.html
View file
Expand Up @@ -248,6 +248,17 @@
</script>
<script src="{{ url_for('static', filename='js/planet_pagination.js') }}"></script>
<script src="{{ url_for('static', filename='js/planet_ajax_table.js') }}"></script>
<script type="text/javascript">
var csrf_token = "{{ csrf_token() }}";

$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrf_token);
}
}
});
</script>
{% block extrajs %}{% endblock %}
</body>
</html>

0 comments on commit 286a02a

Please sign in to comment.