Commit 7751b518 authored by Daniel Stan's avatar Daniel Stan

csrf token en ajaj pour transfert/don

parent ea7b226f
......@@ -18,6 +18,7 @@ import nk
# Pour bypasser le test de Cross-Site Request Forgery
from django.views.decorators.csrf import csrf_exempt
# TODO: vérifier que les exempts suivants peuvent être retirés sans risques
@csrf_exempt
def quick_search(request):
"""Renvoie l'objet JSON résultat d'un quick_search,
......@@ -207,7 +208,6 @@ def do_credit_retrait(request, action):
else:
return HttpResponse(u'"Erreur"')
@csrf_exempt
def do_transfert(request):
"""Gestion de la requête AJAJ pour un transfert."""
......
......@@ -134,6 +134,7 @@ function restore_display_stack(secondstack) {
data.push(display_stack_used[note]["idbde"])
}
xhr.open("POST", NOTE_ROOT_URL + "get_display_info/", true);
xhr.setRequestHeader("X-CSRFToken", csrftoken);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("asked=" + encodeURIComponent(JSON.stringify(data)));
......@@ -507,6 +508,7 @@ function do_conso_many_boutons(idbde, matching_term) {
};
//On fabrique la requête en utilisant l'idbde et en parsant stack_button
xhr.open("POST", NOTE_ROOT_URL + "do_conso/", true);
xhr.setRequestHeader("X-CSRFToken", csrftoken);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
var consodata = ""
for (var i_but in stack_button) {
......@@ -588,6 +590,7 @@ function do_conso_many_notes(idbut, labelbut) {
};
//On fabrique la requête en utilisant l'idbut et en parsant stack
xhr.open("POST", NOTE_ROOT_URL + "do_conso/", true);
xhr.setRequestHeader("X-CSRFToken", csrftoken);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
var consodata = ""
for (var i_compte in stack) {
......@@ -675,6 +678,7 @@ function do_conso_multiples() {
};
//On fabrique la requête en parsant les deux stacks
xhr.open("POST", NOTE_ROOT_URL + "do_conso/", true);
xhr.setRequestHeader("X-CSRFToken", csrftoken);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
var consodata = ""
for (var i_button in stack_button) {
......@@ -760,6 +764,7 @@ function displayAccount(objetnote, note, idbde, solde, timenegatif, aka) {
};
//On fabrique la requête en utilisant l'idbut et en parsant stack
xhr.open("POST", NOTE_ROOT_URL + "get_photo/" + idbde + "/", true);
xhr.setRequestHeader("X-CSRFToken", csrftoken);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send(null);
}
......@@ -974,6 +979,7 @@ function transferer() {
}
};
xhr.open("POST", NOTE_ROOT_URL + "do_transfert/", true);
xhr.setRequestHeader("X-CSRFToken", csrftoken);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
var transfertdata = [page_dons, emetteurs, destinataires, montant_field.value, commentaire_field.value];
transfertdata = JSON.stringify(transfertdata);
......
......@@ -18,6 +18,23 @@ function getXMLHttpRequest() {
alert("Votre navigateur ne supporte pas l'objet XMLHTTPRequest…");
return null;
}
return xhr;
}
// https://docs.djangoproject.com/en/dev/ref/csrf/
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = cookies[i].replace(/^\s\s*/, '').replace(/\s\s*$/, '');
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
var csrftoken = getCookie('csrftoken');
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment