views: implement CSRF protection

Since we've got the csrf token present, we may as well check it for
requests.

We're using RequestContext already (via PatchworkRequestContext), so we
just need to switch it on in the settings, and add an exemption on the
xmlrpc interface.

Signed-off-by: Jeremy Kerr <jk@ozlabs.org>

diff --git a/apps/patchwork/views/xmlrpc.py b/apps/patchwork/views/xmlrpc.py
index 23e58bf279bd141f076a49f6cedc17a4bc3ac8f2..0d3321fc259d5e431cfc643d7fbd48d850ecf890 100644 (file)
--- a/apps/patchwork/views/xmlrpc.py
+++ b/apps/patchwork/views/xmlrpc.py
@@ -29,6 +29,7 @@ from django.core import urlresolvers
 from django.shortcuts import render_to_response
 from django.contrib.auth import authenticate
 from patchwork.models import Patch, Project, Person, Bundle, State
+from django.views.decorators.csrf import csrf_exempt
 
 import sys
 import base64
@@ -120,6 +121,7 @@ class PatchworkXMLRPCDispatcher(SimpleXMLRPCDispatcher):
 dispatcher = PatchworkXMLRPCDispatcher()
 
 # XMLRPC view function
+@csrf_exempt
 def xmlrpc(request):
     if request.method != 'POST':
         return HttpResponseRedirect(

diff --git a/apps/settings.py b/apps/settings.py
index 20c8db3f4ed0d13d203da6d75acae20c640c7f2d..68837b3d16297b28228dd845befa413be0852f8a 100644 (file)
--- a/apps/settings.py
+++ b/apps/settings.py
@@ -62,6 +62,7 @@ MIDDLEWARE_CLASSES = (
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.middleware.doc.XViewMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
 )
 
 ROOT_URLCONF = 'apps.urls'