Browse Source

Handle 403 Forbidden errors better

pull/2/head
Noah Petherbridge 5 years ago
parent
commit
969a758a8d
2 changed files with 28 additions and 6 deletions
  1. +11
    -6
      rophako/__init__.py
  2. +17
    -0
      rophako/www/errors/403.html

+ 11
- 6
rophako/__init__.py View File

@@ -56,12 +56,6 @@ Emoticons.load_theme()
def before_request():
"""Called before all requests. Initialize global template variables."""

# CSRF protection.
if request.method == "POST":
token = session.pop("_csrf", None)
if not token or str(token) != str(request.form.get("token")):
abort(403)

# Default template vars.
g.info = {
"time": time.time(),
@@ -86,6 +80,12 @@ def before_request():
if not "login" in session:
session.update(g.info["session"])

# CSRF protection.
if request.method == "POST":
token = session.pop("_csrf", None)
if not token or str(token) != str(request.form.get("token")):
abort(403)

# Refresh their login status from the DB.
if session["login"]:
import rophako.model.user as User
@@ -151,6 +151,11 @@ def not_found(error):
return render_template('errors/404.html', **g.info), 404


@app.errorhandler(403)
def forbidden(error):
return render_template('errors/403.html', **g.info), 403


# Domain specific endpoints.
if config.SITE_NAME == "kirsle.net":
import rophako.modules.kirsle_legacy

+ 17
- 0
rophako/www/errors/403.html View File

@@ -0,0 +1,17 @@
{% extends "layout.html" %}
{% block title %}Forbidden{% endblock %}
{% block content %}

<h1>Forbidden</h1>

Access to this page was denied. Most likely, this error was caused because a
check to prevent <a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site
request forgery</a> has failed. This will sometimes happen if you had this site
open in two different browser tabs, and you submitted a form in one tab (on a
"newer" page) and then tried submitting a form on an older page.<p>

If this is the case, click your browser's "Back" button and then reload the
page you came from and try again (you may want to copy your message before
reloading in case your browser clears it out).

{% endblock %}

Loading…
Cancel
Save