misc: add form token when form is single page (#43348) #1161
Loading…
Reference in New Issue
No description provided.
Delete Branch "wip/43348-single-page-form-token"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
1ac00454fc
toe5cf5e2d02
@ -5976,0 +5996,4 @@
form_data['magictoken'] = 'xxx'
# simulate call from remote/attacker site (form token prevents this)
resp = app.post(formdef.get_url(), params=form_data)
assert 'The form you have submitted is invalid.' in resp.text
C'est la situation initialement citée dans le ticket.
@ -5976,0 +5998,4 @@
resp = app.post(formdef.get_url(), params=form_data)
assert 'The form you have submitted is invalid.' in resp.text
# with confirmation page
Puis celle-ci pour valider le commentaire du ticket :
@ -5976,0 +6014,4 @@
resp = app.post(formdef.get_url(), params=form_data, status=302)
assert resp.location == formdef.get_url()
# with multiple pages
Et cell-ci pour l'autre partie du commentaire :
@ -623,1 +624,4 @@
form = self.create_form(page, displayed_fields, transient_formdata=transient_formdata)
if page_change is False and page_error_messages:
# ignore form token when there are other errors
form._names.pop('_form_id', None)
Cette partie est un peu nulle, nécessaire pour conserver l'affichage d'un message d'erreur adéquait dans test_form_item_data_source_error_no_confirmation (sans ça c'est le message jeton invalide qui s'affiche, ce qui serait trompeur).
@ -1005,0 +1009,4 @@
if len(self.pages) == 1 and not self.formdef.confirmation:
# if there's a form with a single page, no confirmation, add native quixote
# CSRF protection.
form.add(FormTokenWidget, form.TOKEN_NAME)
C'est ici la correction au ticket, l'utilisation du FormTokenWidget de quixote pour le cas des formulaires mono-pages sans confirmation.
WIP: misc: add form token when form is single page (#43348)to misc: add form token when form is single page (#43348)