Handle 403 Forbidden errors better
This commit is contained in:
parent
7e0fc42700
commit
969a758a8d
|
@ -56,12 +56,6 @@ Emoticons.load_theme()
|
|||
def before_request():
|
||||
"""Called before all requests. Initialize global template variables."""
|
||||
|
||||
# CSRF protection.
|
||||
if request.method == "POST":
|
||||
token = session.pop("_csrf", None)
|
||||
if not token or str(token) != str(request.form.get("token")):
|
||||
abort(403)
|
||||
|
||||
# Default template vars.
|
||||
g.info = {
|
||||
"time": time.time(),
|
||||
|
@ -86,6 +80,12 @@ def before_request():
|
|||
if not "login" in session:
|
||||
session.update(g.info["session"])
|
||||
|
||||
# CSRF protection.
|
||||
if request.method == "POST":
|
||||
token = session.pop("_csrf", None)
|
||||
if not token or str(token) != str(request.form.get("token")):
|
||||
abort(403)
|
||||
|
||||
# Refresh their login status from the DB.
|
||||
if session["login"]:
|
||||
import rophako.model.user as User
|
||||
|
@ -151,6 +151,11 @@ def not_found(error):
|
|||
return render_template('errors/404.html', **g.info), 404
|
||||
|
||||
|
||||
@app.errorhandler(403)
|
||||
def forbidden(error):
|
||||
return render_template('errors/403.html', **g.info), 403
|
||||
|
||||
|
||||
# Domain specific endpoints.
|
||||
if config.SITE_NAME == "kirsle.net":
|
||||
import rophako.modules.kirsle_legacy
|
||||
|
|
17
rophako/www/errors/403.html
Normal file
17
rophako/www/errors/403.html
Normal file
|
@ -0,0 +1,17 @@
|
|||
{% extends "layout.html" %}
|
||||
{% block title %}Forbidden{% endblock %}
|
||||
{% block content %}
|
||||
|
||||
<h1>Forbidden</h1>
|
||||
|
||||
Access to this page was denied. Most likely, this error was caused because a
|
||||
check to prevent <a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site
|
||||
request forgery</a> has failed. This will sometimes happen if you had this site
|
||||
open in two different browser tabs, and you submitted a form in one tab (on a
|
||||
"newer" page) and then tried submitting a form on an older page.<p>
|
||||
|
||||
If this is the case, click your browser's "Back" button and then reload the
|
||||
page you came from and try again (you may want to copy your message before
|
||||
reloading in case your browser clears it out).
|
||||
|
||||
{% endblock %}
|
Loading…
Reference in New Issue
Block a user