From 286a02a398936ae975161ca82a24c7a586591cec Mon Sep 17 00:00:00 2001
From: sepro <sebastian.proost@gmail.com>
Date: Fri, 27 Oct 2017 15:34:30 +0200
Subject: [PATCH] enabled csrf protection globally and added support for ajaxed
 requests.

---
 conekt/app.py              |  5 ++++-
 conekt/extensions.py       |  4 +++-
 conekt/templates/base.html | 11 +++++++++++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/conekt/app.py b/conekt/app.py
index 0241d61..1754761 100644
--- a/conekt/app.py
+++ b/conekt/app.py
@@ -18,7 +18,7 @@
 from flask_login import current_user
 from flask_admin import Admin
 
-from conekt.extensions import toolbar, db, login_manager, cache, htmlmin, blast_thread, compress, whooshee, migrate
+from conekt.extensions import toolbar, db, login_manager, cache, htmlmin, blast_thread, compress, whooshee, migrate,csrf
 
 
 def create_app(config):
@@ -57,6 +57,9 @@ def configure_extensions(app):
     # Enable HTMLMIN
     htmlmin.init_app(app)
 
+    # Enable CSRF Protect globally
+    csrf.init_app(app)
+
     # Enable DebugToolBar
     toolbar.init_app(app)
 
diff --git a/conekt/extensions.py b/conekt/extensions.py
index 22bf463..5e3d167 100644
--- a/conekt/extensions.py
+++ b/conekt/extensions.py
@@ -8,6 +8,7 @@
 from flask_sqlalchemy import SQLAlchemy
 from flask_whooshee import Whooshee
 from flask_migrate import Migrate
+from flask_wtf.csrf import CSRFProtect
 
 from sqlalchemy.engine import Engine
 from sqlalchemy import event
@@ -15,7 +16,7 @@
 
 from conekt.flask_blast import BlastThread
 
-__all__ = ['db', 'login_manager', 'cache', 'htmlmin', 'blast_thread', 'compress', 'whooshee', 'migrate']
+__all__ = ['db', 'login_manager', 'cache', 'htmlmin', 'blast_thread', 'compress', 'whooshee', 'migrate', 'csrf']
 
 db = SQLAlchemy()
 
@@ -57,3 +58,4 @@ def set_sqlite_pragma(dbapi_connection, connection_record):
 compress = Compress()
 whooshee = Whooshee()
 migrate = Migrate()
+csrf = CSRFProtect()
\ No newline at end of file
diff --git a/conekt/templates/base.html b/conekt/templates/base.html
index d122036..83f9bbd 100644
--- a/conekt/templates/base.html
+++ b/conekt/templates/base.html
@@ -248,6 +248,17 @@
         </script>
         <script src="{{ url_for('static', filename='js/planet_pagination.js') }}"></script>
         <script src="{{ url_for('static', filename='js/planet_ajax_table.js') }}"></script>
+        <script type="text/javascript">
+            var csrf_token = "{{ csrf_token() }}";
+
+            $.ajaxSetup({
+                beforeSend: function(xhr, settings) {
+                    if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
+                        xhr.setRequestHeader("X-CSRFToken", csrf_token);
+                    }
+                }
+            });
+        </script>
 {% block extrajs %}{% endblock %}
 </body>
 </html>