From 7f043f588b651afc95da91faae2043b02b2fa6b9 Mon Sep 17 00:00:00 2001 From: Mathijs de Bruin Date: Wed, 4 Sep 2013 21:57:04 +0200 Subject: [PATCH 1/3] Added jQuery tool for doing proper CSRF with AJAX. --- README.md | 1 + .../adminsortable/js/jquery.django-csrf.js | 32 +++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 adminsortable/static/adminsortable/js/jquery.django-csrf.js diff --git a/README.md b/README.md index 2fd4286..4da2d97 100644 --- a/README.md +++ b/README.md @@ -223,6 +223,7 @@ Example: js = ( '//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js', '//ajax.googleapis.com/ajax/libs/jqueryui/1.10.2/jquery-ui.min.js', + 'adminsortable/js/jquery.django-csrf.js', # 'adminsortable/js/admin.sortable.stacked.inlines.js', 'adminsortable/js/admin.sortable.tabular.inlines.js', ) diff --git a/adminsortable/static/adminsortable/js/jquery.django-csrf.js b/adminsortable/static/adminsortable/js/jquery.django-csrf.js new file mode 100644 index 0000000..277c18e --- /dev/null +++ b/adminsortable/static/adminsortable/js/jquery.django-csrf.js @@ -0,0 +1,32 @@ +// using jQuery +function getCookie(name) { + var cookieValue = null; + if (document.cookie && document.cookie !== '') { + var cookies = document.cookie.split(';'); + for (var i = 0; i < cookies.length; i++) { + var cookie = jQuery.trim(cookies[i]); + // Does this cookie string begin with the name we want? + if (cookie.substring(0, name.length + 1) == (name + '=')) { + cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); + break; + } + } + } + return cookieValue; +} + +var csrftoken = getCookie('csrftoken'); + +function csrfSafeMethod(method) { + // these HTTP methods do not require CSRF protection + return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method)); +} + +$.ajaxSetup({ + crossDomain: false, // obviates need for sameOrigin test + beforeSend: function(xhr, settings) { + if (!csrfSafeMethod(settings.type)) { + xhr.setRequestHeader("X-CSRFToken", csrftoken); + } + } +}); From 53291d2fd747c91a343b2dd7df4df4b8c5e36f22 Mon Sep 17 00:00:00 2001 From: Mathijs de Bruin Date: Wed, 4 Sep 2013 22:14:32 +0200 Subject: [PATCH 2/3] Add CSRF tweak to admin template. --- adminsortable/templates/adminsortable/change_form.html | 1 + 1 file changed, 1 insertion(+) diff --git a/adminsortable/templates/adminsortable/change_form.html b/adminsortable/templates/adminsortable/change_form.html index ec39b1b..60dbaed 100644 --- a/adminsortable/templates/adminsortable/change_form.html +++ b/adminsortable/templates/adminsortable/change_form.html @@ -10,6 +10,7 @@ {% if has_sortable_tabular_inlines or has_sortable_stacked_inlines %} {% include sortable_javascript_includes_template with inlines=True %} {% endif %} + {% if has_sortable_tabular_inlines %} {% endif %} From 1bf1f967034dee043dbc0e369897417f390e93a5 Mon Sep 17 00:00:00 2001 From: Mathijs de Bruin Date: Wed, 4 Sep 2013 22:15:28 +0200 Subject: [PATCH 3/3] Remove CSRF exemption where it did not belong. --- adminsortable/admin.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/adminsortable/admin.py b/adminsortable/admin.py index 555f6c3..d096d38 100644 --- a/adminsortable/admin.py +++ b/adminsortable/admin.py @@ -19,7 +19,6 @@ from django.contrib.contenttypes.models import ContentType from django.http import HttpResponse from django.shortcuts import render from django.template.defaultfilters import capfirst -from django.views.decorators.csrf import csrf_exempt from adminsortable.utils import get_is_sortable from adminsortable.fields import SortableForeignKey @@ -212,7 +211,6 @@ class SortableAdmin(SortableAdminBase, ModelAdmin): return super(SortableAdmin, self).change_view(request, object_id, extra_context=extra_context) - @csrf_exempt def do_sorting_view(self, request, model_type_id=None): """ This view sets the ordering of the objects for the model type