csrf
authorgniibe <devnull@localhost>
Mon, 2 May 2011 11:02:57 +0000 (20:02 +0900)
committergniibe <devnull@localhost>
Mon, 2 May 2011 11:02:57 +0000 (20:02 +0900)
19 files changed:
accounting/views.py
meeting_attendance/views.py
membership/views.py
settings.py
templates/accounting/tr_le.html
templates/accounting/transaction_list.html
templates/membership/edit_member_payment.html
templates/membership/member_address.html
templates/membership/member_address_old.html
templates/membership/member_edit.html
templates/membership/member_email.html
templates/membership/member_payment.html
templates/membership/payment_list.html
templates/registration/login.html
templates/registration/password_change_form.html
templates/registration/password_reset_confirm.html
templates/registration/password_reset_form.html
templates/top_page.html
views.py

index ae3dc2e..f7adfa5 100644 (file)
@@ -1,4 +1,5 @@
 # -*- coding: utf-8-*-
+from django.core.context_processors import csrf
 from django.shortcuts import render_to_response, get_object_or_404
 from django.contrib.auth.decorators import login_required, user_passes_test
 from django.http import HttpResponse, HttpResponseRedirect
@@ -10,9 +11,9 @@ import datetime, time
 @user_passes_test(lambda u: u.has_perm('accounting.can_manage'), LOGIN_URL)
 def transaction(request,id):
     t = Transaction.objects.get(pk=id)
-    return render_to_response('accounting/transaction.html',
-                              {'t': t,
-                               })
+    ctxt = {'t': t, }
+    ctxt.update(csrf(request))
+    return render_to_response('accounting/transaction.html', ctxt)
 
 @user_passes_test(lambda u: u.has_perm('accounting.can_manage'), LOGIN_URL)
 def transaction_new(request):
@@ -86,33 +87,31 @@ def transaction_list(request,year=None):
         tr_list = Transaction.objects.filter(date__range=(fy.begin(),fy.end())).order_by('date')
     else:
         tr_list = Transaction.objects.all().order_by('-date')
-    return render_to_response('accounting/transaction_list.html',
-                              {'year' : year,
+    ctxt = {'year' : year,
                                'tr_list': tr_list,
                                'b_list': Business.objects.all(),
                                'a_list': Account.objects.all(),
                                'members': Member.objects.all(),
                                'original_path': request.path,
-                               })
+                               }
+    ctxt.update(csrf(request))
+    return render_to_response('accounting/transaction_list.html', ctxt)
 
 @user_passes_test(lambda u: u.has_perm('accounting.can_manage'), LOGIN_URL)
 def account_list(request,year):
     gles = GeneralLedgerEntry(int(year))
-    return render_to_response('accounting/account_list.html',
-                              {'year' : year,
-                               'ac_list': gles.get_gles(),
-                               })
+    ctxt = {'year' : year, 'ac_list': gles.get_gles(), }
+    ctxt.update(csrf(request))
+    return render_to_response('accounting/account_list.html', ctxt)
 
 @user_passes_test(lambda u: u.has_perm('accounting.can_view_sheets'), LOGIN_URL)
 def bs_pl_cf(request,year):
     gles = GeneralLedgerEntry(int(year))
     cash_accounts = Account.objects.filter(is_cash=True).order_by('-name')
     cash_initial_list = map(lambda x: gles.get_initial_value(x), cash_accounts)
-    return render_to_response('accounting/bs_pl_cf.html',
-                              {'year' : year,
-                               'ac_list': gles.get_gles(),
-                               'fy': gles.fy,
-                               'pl_total': gles.get_pl_total(),
-                               'cash_total': gles.get_cash_total(),
-                               'cash_initial_list': cash_initial_list,
-                               })
+    ctxt = {'year' : year, 'ac_list': gles.get_gles(),
+            'fy': gles.fy, 'pl_total': gles.get_pl_total(),
+            'cash_total': gles.get_cash_total(),
+            'cash_initial_list': cash_initial_list, }
+    ctxt.update(csrf(request))
+    return render_to_response('accounting/bs_pl_cf.html', ctxt)
index ebb1ad6..a5afee4 100644 (file)
@@ -1,3 +1,4 @@
+from django.core.context_processors import csrf
 from django.shortcuts import render_to_response, get_object_or_404
 from fsij.meeting_attendance.models import Meeting, Attendance, Registration, Result
 from fsij.membership.models import Member
@@ -29,14 +30,12 @@ def detail(request, object_id):
         except (KeyError, Result.DoesNotExist):
             pass
     request.session.set_test_cookie()
-    return render_to_response('meeting_attendance/meeting_detail.html',
-                              {'object': m,
-                               'form': AuthenticationForm(request),
-                               'next' : request.path,
-                               'user' : request.user,
-                               'meeting_finished' : finished,
-                               'attended' : result,
-                               'registration' : r })
+    ctxt = {'object': m, 'form': AuthenticationForm(request),
+            'next' : request.path, 'user' : request.user,
+            'meeting_finished' : finished, 'attended' : result,
+            'registration' : r }
+    ctxt.update(csrf(request))
+    return render_to_response('meeting_attendance/meeting_detail.html', ctxt)
 
 @login_required
 def register(request, object_id):
@@ -63,10 +62,9 @@ def register(request, object_id):
 def registration_list(request, object_id):
     m = get_object_or_404(Meeting, pk=object_id)
     l = m.registration_set.all()
-    return render_to_response('meeting_attendance/registration_list.html',
-                              {'object': m,
-                               'list' : l,
-                               })
+    ctxt = {'object': m, 'list' : l, }
+    ctxt.update(csrf(request))
+    return render_to_response('meeting_attendance/registration_list.html', ctxt)
 
 # @permission_required('meeting_attendance.can_list_result')
 @user_passes_test(lambda u: u.has_perm('meeting_attendance.can_list_result'), LOGIN_URL)
@@ -74,11 +72,9 @@ def attendance_list(request, object_id):
     m = get_object_or_404(Meeting, pk=object_id)
     l = m.result_set.all()
     all_members = Member.objects.all()
-    return render_to_response('meeting_attendance/attendance_list.html',
-                              {'object': m,
-                               'list' : l,
-                               'members' : all_members,
-                               })
+    ctxt = {'object': m, 'list' : l, 'members' : all_members, }
+    ctxt.update(csrf(request))
+    return render_to_response('meeting_attendance/attendance_list.html', ctxt)
 
 # @permission_required('meeting_attendance.can_change_result')
 @user_passes_test(lambda u: u.has_perm('meeting_attendance.can_change_results'), LOGIN_URL)
index 68dfce2..1c2a18c 100644 (file)
@@ -1,4 +1,5 @@
 # -*- coding: utf-8-*-
+from django.core.context_processors import csrf
 from django.shortcuts import render_to_response, get_object_or_404
 from django.contrib.auth.decorators import login_required, user_passes_test
 from fsij.membership.models import *
@@ -9,9 +10,9 @@ import datetime, time, re
 from fsij.accounting.models import LedgerEntry
 
 def member_index(request, member):
-    return render_to_response('membership/member_index.html',
-                              {'member': member,
-                               })
+    ctxt = {'member': member, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/member_index.html', ctxt)
 
 def member_email(request, member, manage=False):
     errors = None
@@ -26,13 +27,11 @@ def member_email(request, member, manage=False):
     if referrer:
        parent_is_list = (not re.match(".*/list/$", referrer))
     else: parent_is_list = None
-    return render_to_response('membership/member_email.html',
-                              {'member': member,
-                               'email': email,
-                               'errors': errors,
-                               'original_path': request.path,
-                               'reload_parent': parent_is_list and manage,
-                               })
+    ctxt = {'member': member, 'email': email,
+            'errors': errors, 'original_path': request.path,
+            'reload_parent': parent_is_list and manage, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/member_email.html', ctxt)
 
 def register_member_email(request, member):
     email = request.POST['email']
@@ -67,13 +66,11 @@ def member_address(request, member, manage=False):
     if referrer:
        parent_is_list = (not re.match(".*/list/$", referrer))
     else: parent_is_list = None
-    return render_to_response('membership/member_address.html',
-                              {'member': member,
-                               'addr': addr,
-                               'errors': errors,
-                               'original_path': request.path,
-                               'reload_parent': parent_is_list and manage,
-                               })
+    ctxt = {'member': member, 'addr': addr, 'errors': errors,
+            'original_path': request.path,
+            'reload_parent': parent_is_list and manage, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/member_address.html', ctxt)
 
 def register_member_address(request, member):
     try: request.POST['contact_is_home']
@@ -166,14 +163,13 @@ def member_payment(request, member, manage=False):
     if referrer:
        parent_is_list = (not re.match(".*/list/$", referrer))
     else: parent_is_list = None
-    return render_to_response('membership/member_payment.html',
-                              {'member': member,
-                               'payments': payments,
-                               'cur_advance_payment': advance_payment,
-                               'reload_parent': parent_is_list and manage,
-                               'manage' : manage,
-                               'fee_list' : fee_list,
-                               'member_type_list': MEMBER_TYPE })
+    ctxt = {'member': member, 'payments': payments,
+            'cur_advance_payment': advance_payment,
+            'reload_parent': parent_is_list and manage,
+            'manage' : manage, 'fee_list' : fee_list,
+            'member_type_list': MEMBER_TYPE }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/member_payment.html', ctxt)
 
 def add_member_payment(request, member):
     p = MemberPayment(member = member,
@@ -246,17 +242,13 @@ def edit_member_payment(request, member_payment):
         payments = member.memberpayment_set.order_by('-date', '-fee_year')
     except (MemberPayment.DoesNotExist):
         payments = None
-    return render_to_response('membership/edit_member_payment.html',
-                              {'date': date,
-                               'errors': errors,
-                               'orig_fee_year': orig_fee_year,
-                               'payments': payments,
-                               'member': member,
-                               'members': Member.objects.all(),
-                               'fee_list': fee_list,
-                               'member_type_list': MEMBER_TYPE,
-                               'original_path': orig_url,
-                               })
+    ctxt = {'date': date, 'errors': errors,
+            'orig_fee_year': orig_fee_year, 'payments': payments,
+            'member': member, 'members': Member.objects.all(),
+            'fee_list': fee_list, 'member_type_list': MEMBER_TYPE,
+            'original_path': orig_url, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/edit_member_payment.html', ctxt)
 
 def register_member_payment(request, member_payment):
     member_id = request.POST['member_id']
@@ -328,13 +320,11 @@ def manage_member(request, member_id, new):
     if referrer:
        parent_is_list = (not re.match(".*/list/$", referrer))
     else: parent_is_list = None
-    return render_to_response('membership/member_edit.html',
-                              {'member': member,
-                               'member_type_list': MEMBER_TYPE,
-                               'original_path': request.path,
-                               'reload_parent': parent_is_list,
-                               'errors': errors,
-                               })
+    ctxt = {'member': member, 'member_type_list': MEMBER_TYPE,
+            'original_path': request.path, 'reload_parent': parent_is_list,
+            'errors': errors, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/member_edit.html', ctxt)
 
 @user_passes_test(lambda u: u.has_perm('membership.can_manage'), LOGIN_URL)
 def manage_register_member(request, member_id):
@@ -423,22 +413,23 @@ def manage_register_member_payment(request, member_payment_id):
 
 @user_passes_test(lambda u: u.has_perm('membership.can_manage'), LOGIN_URL)
 def member_list_top(request):
-    return render_to_response('membership/member_list_top.html',
-                              { })
+    ctxt = { }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/member_list_top.html', ctxt)
 
 @user_passes_test(lambda u: u.has_perm('membership.can_manage'), LOGIN_URL)
 def member_list(request):
     member_list = Member.objects.filter(date_quit__isnull=True).order_by('member_id')
-    return render_to_response('membership/member_list.html',
-                              {'members': member_list,
-                               })
+    ctxt = {'members': member_list, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/member_list.html', ctxt)
 
 @user_passes_test(lambda u: u.has_perm('membership.can_manage'), LOGIN_URL)
 def payment_list(request):
     payments = MemberPayment.objects.all().order_by('date')
-    return render_to_response('membership/payment_list.html',
-                              {'payments': payments,
-                               })
+    ctxt = {'payments': payments, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/payment_list.html', ctxt)
 
 @user_passes_test(lambda u: u.has_perm('membership.can_manage'), LOGIN_URL)
 def valid_member_list(request,year):
@@ -456,12 +447,10 @@ def valid_member_list(request,year):
     for m in member_list_old:
         if not m in member_list:
             deleted.append(m)
-    return render_to_response('membership/valid_member_list.html',
-                              {'stable': stable,
-                               'added': added,
-                               'deleted': deleted,
-                               'year': year,
-                               })
+    ctxt = {'stable': stable, 'added': added,
+            'deleted': deleted, 'year': year, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/valid_member_list.html', ctxt)
 
 @user_passes_test(lambda u: u.has_perm('membership.can_manage'), LOGIN_URL)
 def member_browse(request):
@@ -474,7 +463,6 @@ def member_browse(request):
             members = Member.objects.all()
     else:
         members = None
-    return render_to_response('membership/member_browse.html',
-                              {'req': request,
-                               'members': members,
-                               })
+    ctxt = {'req': request, 'members': members, }
+    ctxt.update(csrf(request))
+    return render_to_response('membership/member_browse.html', ctxt)
index 7ea3317..f4257c5 100644 (file)
@@ -64,6 +64,7 @@ MIDDLEWARE_CLASSES = (
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
 )
 
 ROOT_URLCONF = 'fsij.urls'
index 3722701..b3bf442 100644 (file)
@@ -1,5 +1,5 @@
 {% if not t.get_credit.memberpayment_set.get %}
-<form action="/membership/add_member_payment_with_le/" method="POST" style="margin-bottom: 0px">
+<form action="/membership/add_member_payment_with_le/" method="POST" style="margin-bottom: 0px">{% csrf_token %}
   <select name="member_id" onChange="this.form.submit();">
   {% for person in members %}
     <option value="{{ person.member_id }}">{{ person.member_id }} {{ person.name }}</option>
index b79c6eb..79fcd86 100644 (file)
@@ -16,7 +16,7 @@
 </tr>
 
 {% if not year %}
-<form action="new/" method="POST">
+<form action="new/" method="POST">{% csrf_token %}
 <tr>
 <td><input type="text" name="date" value=""  size=10 maxlength=10 /></td>
 <td><select name="business">
   </td>
   <td align=left>{% ifequal 0 forloop.counter0 %}{{ t.memo_detail }}{% endifequal %}</td>
   <td>{% if not year %}{% ifequal 0 forloop.revcounter0 %}
-    <form action="{{ t.id }}/delete/" method="POST" style="margin-bottom: 0px">
+    <form action="{{ t.id }}/delete/" method="POST" style="margin-bottom: 0px">{% csrf_token %}
     <input type="hidden" value="{{ original_path }}" name="original_path" />
     <input type="submit" name="delete" value="{% trans 'Delete' %}" />
     </form>{% endifequal %}{% endif %}
index c759c07..0730660 100644 (file)
@@ -6,7 +6,7 @@
 {{ errors }}
 {% endif %}
 
-<form action="register/" method="POST">
+<form action="register/" method="POST">{% csrf_token %}
 <ul>
 <li>会員番号
   <select name="member_id">
index 9e3a924..8077595 100644 (file)
@@ -14,7 +14,7 @@ parent.list.location.reload()
 {{ errors }}
 {% endif %}
 
-<form action="register/" method="POST">
+<form action="register/" method="POST">{% csrf_token %}
 <ul>
 <li>連絡先は自宅<input type=checkbox name=contact_is_home {% if addr.contact_is_home%}checked{% endif %}/> (会社の場合は外してください)</li>
 <li>郵便番号<input type=text name=zip_code value="{{addr.zip_code}}" /> (必須)</li>
index 85b4c8f..f56a614 100644 (file)
@@ -1,7 +1,7 @@
 {% load i18n %}
 <h1>会員情報(住所)</h1>
 
-<form action="register/" method="post">
+<form action="register/" method="post">{% csrf_token %}
 <table>
 <tr><td>会員番号</td><td>{{ member.member_id }}</td></tr>
 <tr><td>連絡先は自宅</td><td><input type="checkbox" value="home" name="contact" {% if address.contact_is_home %}checked{% endif %}></td></tr>
index 5909954..b8fee39 100644 (file)
@@ -14,7 +14,7 @@ parent.list.location.reload()
 
 <h2>会員番号: {{ member.member_id }}</h2>
 
-<form action="register/" method="POST">
+<form action="register/" method="POST">{% csrf_token %}
 <ul>
 <li>会員種別: <select name=member_type>
 {% for mt in member_type_list %}
index 23ca162..7af8666 100644 (file)
@@ -14,7 +14,7 @@ parent.list.location.reload()
 {{ errors }}
 {% endif %}
 
-<form action="register/" method="POST">
+<form action="register/" method="POST">{% csrf_token %}
 <ul>
 <li>メールアドレス<input type=text name=email value="{{email}}" /> (@fsij.org はダメです) </li>
 </ul>
index f365fd5..95f8874 100644 (file)
@@ -21,7 +21,7 @@ parent.list.location.reload()
 <tr><th>日付</th><th>内容</th><th>編集</th></tr>
 {% for p in payments %}
 <tr bgcolor={% cycle lightcyan,white %}>
-<form action="delete/{{ p.id }}/" method="POST">
+<form action="delete/{{ p.id }}/" method="POST">{% csrf_token %}
 <td>
 {% if p.le %}<a href="../../../accounting/transaction/{{ p.le.t.id }}/">{% endif %}
 {{ p.date }}
@@ -50,7 +50,7 @@ parent.list.location.reload()
 </tr>
 </form>
 {% endfor %}
-<form action="add/" method="POST">
+<form action="add/" method="POST">{% csrf_token %}
 <tr>
 <td><input type="text" name="date" value=""/></td>
 <td>
index 7647988..60d24d3 100644 (file)
@@ -11,7 +11,7 @@
   <td></td>
 </tr>
 {% for p in payments %}
-<form action="/{{ p.id }}/" method="POST">
+<form action="/{{ p.id }}/" method="POST">{% csrf_token %}
 <tr>
   <td>{{ p.date }}</td>
   <td><a href="../{{ p.member.member_id }}/" title="{{ p.member.user.last_name }} {{ p.member.user.first_name }}" target="edit">{{ p.member.member_id }}</a></td>
@@ -26,7 +26,7 @@
 {% endfor %}
 <tr>
 <td>
-<form action="/{{ p.id }}/new/" method="POST">
+<form action="/{{ p.id }}/new/" method="POST">{% csrf_token %}
 <input type="submit" value="Submit" />
 <input type="hidden" value="{{ original_path }}" name="original_path" />
 </form>
index bb29ed5..f96a6ac 100644 (file)
@@ -12,7 +12,7 @@ You don't have permission.<p>
 {% else %}
 Login required.<p>
 
-<form method="post" action="/login/">
+<form method="post" action="/login/">{% csrf_token %}
   <div class="form-row">
     <label for="id_username">{% trans 'Username:' %}</label> <input type="text" name="username" id="id_username" />
   </div>
index c13c7f7..6d7a660 100644 (file)
@@ -11,7 +11,7 @@
 
 <p>{% trans "Please enter your old password, for security's sake, and then enter your new password twice so we can verify you typed it in correctly." %}</p>
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 
 {{ form.old_password.errors }}
 <p class="aligned wide"><label for="id_old_password">{% trans 'Old password:' %}</label>{{ form.old_password }}</p>
index 0d3eb38..28adf29 100644 (file)
@@ -13,7 +13,7 @@
 
 <p>{% trans "Please enter your new password twice so we can verify you typed it in correctly." %}</p>
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {{ form.new_password1.errors }}
 <p class="aligned wide"><label for="id_new_password1">{% trans 'New password:' %}</label>{{ form.new_password1 }}</p>
 {{ form.new_password2.errors }}
index 704066c..d3a1284 100644 (file)
@@ -11,7 +11,7 @@
 
 <p>{% trans "Forgotten your password? Enter your e-mail address below, and we'll e-mail instructions for setting a new one." %}</p>
 
-<form action="" method="post">
+<form action="" method="post">{% csrf_token %}
 {{ form.email.errors }}
 <p><label for="id_email">{% trans 'E-mail address:' %}</label> {{ form.email }} <input type="submit" value="{% trans 'Reset my password' %}" /></p>
 </form>
index eff5801..79adbdb 100644 (file)
@@ -42,7 +42,7 @@ Google mapでは<a href=http://maps.google.com/maps/ms?msa=0&msid=11469454989933
 <p>ユーザ: {{ user.username }} <a href="/logout/">{% trans "logout" %}</a></p>
 {% else %}
 <h2>ログイン</h2>
-<form method="post" action="/login/">
+<form method="post" action="/login/">{% csrf_token %}
   <div class="form-row">
     <label for="id_username">{% trans 'Username:' %}</label> <input type="text" name="username" id="id_username" />
   </div>
index 818c549..b03d9f5 100644 (file)
--- a/views.py
+++ b/views.py
@@ -1,7 +1,8 @@
+from django.core.context_processors import csrf
 from django.shortcuts import render_to_response
 
 def index(request):
     request.session.set_test_cookie()
-    return render_to_response('top_page.html',
-                              {'user': request.user,
-                               })
+    ctxt = {'user': request.user, }
+    ctxt.update(csrf(request))
+    return render_to_response('top_page.html', ctxt)