chore: add csrf protection for changes to registration state

main
Luca 7 months ago
parent fb58e1db77
commit 063313f87b

@ -33,8 +33,14 @@
<td><a href="{% url 'team:shift' reg.shift.pk %}">{{ reg.shift.duration|duration }}</a></td> <td><a href="{% url 'team:shift' reg.shift.pk %}">{{ reg.shift.duration|duration }}</a></td>
<td> <td>
<div class="buttons"> <div class="buttons">
<a class="button is-success is-small" href="{% url 'team:checkin' reg.pk %}">Als angekommen markieren</a> <form action="{% url 'team:checkin' reg.pk %}" method="post">
<a class="button is-danger is-small" href="{% url 'team:mark_as_failed' reg.pk %}">Nicht angetreten</a> {% csrf_token %}
<button class="button is-success is-small mr-2" type="submit">Als angekommen markieren</button>
</form>
<form action="{% url 'team:mark_as_failed' reg.pk %}" method="post">
{% csrf_token %}
<button class="button is-danger is-small mr-2" type="submit">Nicht angetreten</button>
</form>
<a class="button is-link is-small" href="tel:{{ reg.helper.phone }}">📞</a> <a class="button is-link is-small" href="tel:{{ reg.helper.phone }}">📞</a>
</div> </div>
</td> </td>

@ -0,0 +1,12 @@
{% extends "base.html" %}
{% block title %}{{ action|default:"Aktion bestätigen" }}{% endblock %}
{% block content %}
<h3 class="title">{{ action|default:"Aktion bestätigen" }}</h3>
<form method="POST">
{% csrf_token %}
<button class="button is-{{ button_style|default:"danger" }} is-small" type="submit">{{ button_text|default:"Bestätigen" }}</button>
</form>
<a class="button mt-3" href="{% url 'team:shift' reg.shift.pk %}">Zurück</a>
{% endblock %}

@ -1,12 +0,0 @@
{% extends "base.html" %}
{% block title %}Helfer*in wirklich sperren?{% endblock %}
{% block content %}
<h3 class="title">Helfer*in wirklich sperren?</h3>
<form method="POST">
{% csrf_token %}
<button class="button is-danger is-small" type="submit">Schicht als "nicht angetreten" markieren und Helfer*in sperren</button>
</form>
<a class="button mt-3" href="{% url 'team:shift' reg.shift.pk %}">Zurück</a>
{% endblock %}

@ -32,9 +32,18 @@
</div> </div>
<div class="buttons"> <div class="buttons">
{% if reg.is_pending %} {% if reg.is_pending %}
<a class="button is-success is-small" href="{% url 'team:checkin' reg.pk %}">Als angekommen markieren</a> <form action="{% url 'team:checkin' reg.pk %}" method="post">
<a class="button is-warning is-small" href="{% url 'team:unregister' reg.pk %}">Helfer*in abmelden</a> {% csrf_token %}
<a class="button is-danger is-small" href="{% url 'team:mark_as_failed' reg.pk %}">Nicht angetreten</a> <button class="button is-success is-small mr-2" type="submit">Als angekommen markieren</button>
</form>
<form action="{% url 'team:unregister' reg.pk %}" method="post">
{% csrf_token %}
<button class="button is-warning is-small mr-2" type="submit">Helfer*in abmelden</button>
</form>
<form action="{% url 'team:mark_as_failed' reg.pk %}" method="post">
{% csrf_token %}
<button class="button is-danger is-small" type="submit">Nicht angetreten</button>
</form>
{% elif reg.is_checked_in %} {% elif reg.is_checked_in %}
<button class="button is-success is-small" style="pointer-events:none;"></button> <button class="button is-success is-small" style="pointer-events:none;"></button>
{% endif %} {% endif %}

@ -308,10 +308,19 @@ class CheckinList(LoginRequiredMixin, ListView):
@login_required @login_required
def checkin(request, pk): def checkin(request, pk):
reg = get_object_or_404(ShiftRegistration, pk=pk) reg = get_object_or_404(ShiftRegistration, pk=pk)
if request.method == "POST":
reg.state = reg.RegState.CHECKED_IN reg.state = reg.RegState.CHECKED_IN
reg.save() reg.save()
return redirect("team:shift", pk=reg.shift.pk) return redirect("team:shift", pk=reg.shift.pk)
return render(
request,
"csrf_protect.html",
{"action": "Als angekommen markieren", "button_text": "Angekommen", "reg": reg},
)
@login_required @login_required
def mark_as_failed(request, pk): def mark_as_failed(request, pk):
@ -326,15 +335,31 @@ def mark_as_failed(request, pk):
return redirect("team:shift", pk=reg.shift.pk) return redirect("team:shift", pk=reg.shift.pk)
return render(request, "molly_guard.html", {"reg": reg}) return render(
request,
"csrf_protect.html",
{
"action": 'Schicht als "nicht angetreten" markieren',
"button_text": "Nicht angetreten",
"reg": reg,
},
)
@login_required @login_required
def delete_shiftregistration(request, pk): def delete_shiftregistration(request, pk):
reg = get_object_or_404(ShiftRegistration, pk=pk) reg = get_object_or_404(ShiftRegistration, pk=pk)
spk = reg.shift.pk
if request.method == "POST":
reg.delete() reg.delete()
return redirect("team:shift", pk=spk)
return redirect("team:shift", pk=reg.shift.pk)
return render(
request,
"csrf_protect.html",
{"action": "Helfer*in abmelden", "button_text": "Abmelden", "reg": reg},
)
class IncomingMessagesList(LoginRequiredMixin, ListView): class IncomingMessagesList(LoginRequiredMixin, ListView):

Loading…
Cancel
Save