Handle 403 Forbidden errors better

rophako/__init__.py

@@ -56,12 +56,6 @@ Emoticons.load_theme()
 def before_request():
     """Called before all requests. Initialize global template variables."""
 
-    # CSRF protection.
-    if request.method == "POST":
-        token = session.pop("_csrf", None)
-        if not token or str(token) != str(request.form.get("token")):
-            abort(403)
-
     # Default template vars.
     g.info = {
         "time": time.time(),
@@ -86,6 +80,12 @@ def before_request():
     if not "login" in session:
         session.update(g.info["session"])
 
+    # CSRF protection.
+    if request.method == "POST":
+        token = session.pop("_csrf", None)
+        if not token or str(token) != str(request.form.get("token")):
+            abort(403)
+
     # Refresh their login status from the DB.
     if session["login"]:
         import rophako.model.user as User
@@ -151,6 +151,11 @@ def not_found(error):
     return render_template('errors/404.html', **g.info), 404
 
 
+@app.errorhandler(403)
+def forbidden(error):
+    return render_template('errors/403.html', **g.info), 403
+
+
 # Domain specific endpoints.
 if config.SITE_NAME == "kirsle.net":
     import rophako.modules.kirsle_legacy

rophako/www/errors/403.html

@@ -0,0 +1,17 @@
+{% extends "layout.html" %}
+{% block title %}Forbidden{% endblock %}
+{% block content %}
+
+<h1>Forbidden</h1>
+
+Access to this page was denied. Most likely, this error was caused because a
+check to prevent <a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site
+request forgery</a> has failed. This will sometimes happen if you had this site
+open in two different browser tabs, and you submitted a form in one tab (on a
+"newer" page) and then tried submitting a form on an older page.<p>
+
+If this is the case, click your browser's "Back" button and then reload the
+page you came from and try again (you may want to copy your message before
+reloading in case your browser clears it out).
+
+{% endblock %}