Fix CSRF functionality for LoginForm

The login form was not respecting csrf validation. I've adjusted the tests as well to always send a CSRF token along. This now requires all requests to pass a csrf token. If performing plain AJAX requests the token will have to be extracted from the form in some way. Fixes #86
This commit is contained in:
Matt Wright
2013-02-01 17:23:18 -05:00
parent b82a8d681d
commit 34b3bf9e80
4 changed files with 72 additions and 77 deletions
+6 -5
View File
@@ -45,10 +45,7 @@ def valid_user_email(form, field):
class Form(BaseForm):
def __init__(self, *args, **kwargs):
if current_app.testing:
csrf_enabled = False
else:
csrf_enabled = request.json is None
kwargs.setdefault('csrf_enabled', csrf_enabled)
self.TIME_LIMIT = None
super(Form, self).__init__(*args, **kwargs)
@@ -83,6 +80,7 @@ class NewPasswordFormMixin():
validators=[password_required,
Length(min=6, max=128)])
class PasswordConfirmFormMixin():
password_confirm = PasswordField("Retype Password",
validators=[EqualTo('password', message="Passwords do not match")])
@@ -147,6 +145,7 @@ class PasswordlessLoginForm(Form, UserEmailFormMixin):
class LoginForm(Form, NextFormMixin):
"""The default login form"""
email = TextField('Email Address')
password = PasswordField('Password')
remember = BooleanField("Remember Me")
@@ -156,7 +155,8 @@ class LoginForm(Form, NextFormMixin):
super(LoginForm, self).__init__(*args, **kwargs)
def validate(self):
super(LoginForm, self).validate()
if not super(LoginForm, self).validate():
return False
if self.email.data.strip() == '':
self.email.errors.append('Email not provided')
@@ -187,6 +187,7 @@ class ConfirmRegisterForm(Form, RegisterFormMixin,
UniqueEmailFormMixin, NewPasswordFormMixin):
pass
class RegisterForm(ConfirmRegisterForm, PasswordConfirmFormMixin):
pass