diff --git a/rophako/__init__.py b/rophako/__init__.py
index fac308a..39573e6 100644
--- a/rophako/__init__.py
+++ b/rophako/__init__.py
@@ -56,12 +56,6 @@ Emoticons.load_theme()
def before_request():
"""Called before all requests. Initialize global template variables."""
- # CSRF protection.
- if request.method == "POST":
- token = session.pop("_csrf", None)
- if not token or str(token) != str(request.form.get("token")):
- abort(403)
-
# Default template vars.
g.info = {
"time": time.time(),
@@ -86,6 +80,12 @@ def before_request():
if not "login" in session:
session.update(g.info["session"])
+ # CSRF protection.
+ if request.method == "POST":
+ token = session.pop("_csrf", None)
+ if not token or str(token) != str(request.form.get("token")):
+ abort(403)
+
# Refresh their login status from the DB.
if session["login"]:
import rophako.model.user as User
@@ -151,6 +151,11 @@ def not_found(error):
return render_template('errors/404.html', **g.info), 404
+@app.errorhandler(403)
+def forbidden(error):
+ return render_template('errors/403.html', **g.info), 403
+
+
# Domain specific endpoints.
if config.SITE_NAME == "kirsle.net":
import rophako.modules.kirsle_legacy
diff --git a/rophako/www/errors/403.html b/rophako/www/errors/403.html
new file mode 100644
index 0000000..9ac0672
--- /dev/null
+++ b/rophako/www/errors/403.html
@@ -0,0 +1,17 @@
+{% extends "layout.html" %}
+{% block title %}Forbidden{% endblock %}
+{% block content %}
+
+Forbidden
+
+Access to this page was denied. Most likely, this error was caused because a
+check to prevent Cross-site
+request forgery has failed. This will sometimes happen if you had this site
+open in two different browser tabs, and you submitted a form in one tab (on a
+"newer" page) and then tried submitting a form on an older page.
+
+If this is the case, click your browser's "Back" button and then reload the
+page you came from and try again (you may want to copy your message before
+reloading in case your browser clears it out).
+
+{% endblock %}