Handle 403 Forbidden errors better

This commit is contained in:
Noah 2014-07-01 00:45:13 +00:00
parent 7e0fc42700
commit 969a758a8d
2 changed files with 28 additions and 6 deletions

View File

@ -56,12 +56,6 @@ Emoticons.load_theme()
def before_request(): def before_request():
"""Called before all requests. Initialize global template variables.""" """Called before all requests. Initialize global template variables."""
# CSRF protection.
if request.method == "POST":
token = session.pop("_csrf", None)
if not token or str(token) != str(request.form.get("token")):
abort(403)
# Default template vars. # Default template vars.
g.info = { g.info = {
"time": time.time(), "time": time.time(),
@ -86,6 +80,12 @@ def before_request():
if not "login" in session: if not "login" in session:
session.update(g.info["session"]) session.update(g.info["session"])
# CSRF protection.
if request.method == "POST":
token = session.pop("_csrf", None)
if not token or str(token) != str(request.form.get("token")):
abort(403)
# Refresh their login status from the DB. # Refresh their login status from the DB.
if session["login"]: if session["login"]:
import rophako.model.user as User import rophako.model.user as User
@ -151,6 +151,11 @@ def not_found(error):
return render_template('errors/404.html', **g.info), 404 return render_template('errors/404.html', **g.info), 404
@app.errorhandler(403)
def forbidden(error):
return render_template('errors/403.html', **g.info), 403
# Domain specific endpoints. # Domain specific endpoints.
if config.SITE_NAME == "kirsle.net": if config.SITE_NAME == "kirsle.net":
import rophako.modules.kirsle_legacy import rophako.modules.kirsle_legacy

View File

@ -0,0 +1,17 @@
{% extends "layout.html" %}
{% block title %}Forbidden{% endblock %}
{% block content %}
<h1>Forbidden</h1>
Access to this page was denied. Most likely, this error was caused because a
check to prevent <a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site
request forgery</a> has failed. This will sometimes happen if you had this site
open in two different browser tabs, and you submitted a form in one tab (on a
"newer" page) and then tried submitting a form on an older page.<p>
If this is the case, click your browser's "Back" button and then reload the
page you came from and try again (you may want to copy your message before
reloading in case your browser clears it out).
{% endblock %}