mirror of
https://gitlab.com/SIGBUS/nyaa.git
synced 2024-12-23 00:30:05 +00:00
Re-enable CSRF token for upload & fix API CSRF handling
This commit is contained in:
parent
efb44724e1
commit
a1c024a342
|
@ -104,7 +104,7 @@ def api_upload(upload_request, user):
|
||||||
return flask.make_response(flask.jsonify(
|
return flask.make_response(flask.jsonify(
|
||||||
{'Failure': ['No torrent file was attached.']}), 400)
|
{'Failure': ['No torrent file was attached.']}), 400)
|
||||||
|
|
||||||
form = forms.UploadForm(CombinedMultiDict((torrent_file, form_info)))
|
form = forms.UploadForm(CombinedMultiDict((torrent_file, form_info)), csrf_enabled=False)
|
||||||
form.category.choices = _create_upload_category_choices()
|
form.category.choices = _create_upload_category_choices()
|
||||||
|
|
||||||
if upload_request.method == 'POST' and form.validate():
|
if upload_request.method == 'POST' and form.validate():
|
||||||
|
@ -166,7 +166,7 @@ def v2_api_upload():
|
||||||
mapped_dict[mapped_key] = request_data.get(key) or ''
|
mapped_dict[mapped_key] = request_data.get(key) or ''
|
||||||
|
|
||||||
# Flask-WTF (very helpfully!!) automatically grabs the request form, so force a None formdata
|
# Flask-WTF (very helpfully!!) automatically grabs the request form, so force a None formdata
|
||||||
upload_form = forms.UploadForm(None, data=mapped_dict)
|
upload_form = forms.UploadForm(None, data=mapped_dict, csrf_enabled=False)
|
||||||
upload_form.category.choices = _create_upload_category_choices()
|
upload_form.category.choices = _create_upload_category_choices()
|
||||||
|
|
||||||
if upload_form.validate():
|
if upload_form.validate():
|
||||||
|
|
|
@ -167,9 +167,6 @@ class EditForm(FlaskForm):
|
||||||
|
|
||||||
class UploadForm(FlaskForm):
|
class UploadForm(FlaskForm):
|
||||||
|
|
||||||
class Meta:
|
|
||||||
csrf = False
|
|
||||||
|
|
||||||
torrent_file = FileField('Torrent file', [
|
torrent_file = FileField('Torrent file', [
|
||||||
FileRequired()
|
FileRequired()
|
||||||
])
|
])
|
||||||
|
|
|
@ -14,6 +14,8 @@
|
||||||
|
|
||||||
<div id="upload-drop-zone"><span>Drop here!</span></div>
|
<div id="upload-drop-zone"><span>Drop here!</span></div>
|
||||||
<form method="POST" enctype="multipart/form-data">
|
<form method="POST" enctype="multipart/form-data">
|
||||||
|
{{ upload_form.csrf_token }}
|
||||||
|
|
||||||
{% if config.ENFORCE_MAIN_ANNOUNCE_URL %}<p><strong>Important:</strong> Please include <kbd>{{ config.MAIN_ANNOUNCE_URL }}</kbd> in your trackers</p>{% endif %}
|
{% if config.ENFORCE_MAIN_ANNOUNCE_URL %}<p><strong>Important:</strong> Please include <kbd>{{ config.MAIN_ANNOUNCE_URL }}</kbd> in your trackers</p>{% endif %}
|
||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="col-md-6">
|
<div class="col-md-6">
|
||||||
|
|
Loading…
Reference in a new issue