Explicitly allow only POST and GET requests

20f41cbf · Sofia Papagiannaki · 2187bea1 · 20f41cbf · 20f41cbf · 20f41cbf
Commit 20f41cbf authored Oct 12, 2012 by Sofia Papagiannaki
--- a/snf-astakos-app/astakos/im/target/local.py
+++ b/snf-astakos-app/astakos/im/target/local.py
@@ -38,6 +38,7 @@ from django.contrib.auth import authenticate
 from django.contrib import messages
 from django.utils.translation import ugettext as _
 from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.http import require_http_methods

 from astakos.im.util import prepare_response, get_query
 from astakos.im.views import requires_anonymous
@@ -50,6 +51,7 @@ from ratelimit.decorators import ratelimit
 retries = RATELIMIT_RETRIES_ALLOWED-1
 rate = str(retries)+'/m'

+@require_http_methods(["GET", "POST"])
 @csrf_exempt
 @requires_anonymous
 @ratelimit(field='username', method='POST', rate=rate)

--- a/snf-astakos-app/astakos/im/target/redirect.py
+++ b/snf-astakos-app/astakos/im/target/redirect.py
@@ -39,6 +39,7 @@ from django.utils.http import urlencode
 from django.contrib.auth import authenticate
 from django.http import HttpResponse, HttpResponseBadRequest
 from django.core.exceptions import ValidationError
+from django.views.decorators.http import require_http_methods

 from urllib import quote
 from urlparse import urlunsplit, urlsplit, urlparse, parse_qsl
@@ -51,6 +52,7 @@ import logging

 logger = logging.getLogger(__name__)

+@require_http_methods(["GET", "POST"])
 def login(request):
    """
    If there is no ``next`` request parameter redirects to astakos index page

--- a/snf-astakos-app/astakos/im/target/shibboleth.py
+++ b/snf-astakos-app/astakos/im/target/shibboleth.py
@@ -36,6 +36,7 @@ from django.utils.translation import ugettext as _
 from django.contrib import messages
 from django.template import RequestContext
 from django.forms.models import inlineformset_factory
+from django.views.decorators.http import require_http_methods

 from astakos.im.util import prepare_response, get_context, get_invitation
 from astakos.im.views import requires_anonymous, render_response
@@ -55,6 +56,7 @@ class Tokens:
    SHIB_SESSION_ID = "HTTP_SHIB_SESSION_ID"
    SHIB_MAIL = "HTTP_SHIB_MAIL"

+@require_http_methods(["GET", "POST"])
 @requires_anonymous
 def login(request,  backend=None, on_login_template='im/login.html', on_creation_template='im/third_party_registration.html', extra_context={}):
    tokens = request.META

--- a/snf-astakos-app/astakos/im/views.py
+++ b/snf-astakos-app/astakos/im/views.py
@@ -53,6 +53,7 @@ from django.db.utils import IntegrityError
 from django.contrib.auth.views import password_change
 from django.core.exceptions import ValidationError
 from django.db.models import Q
+from django.views.decorators.http import require_http_methods

 from astakos.im.models import AstakosUser, Invitation, ApprovalTerms
 from astakos.im.activation_backends import get_backend, SimpleBackend
@@ -109,6 +110,7 @@ def signed_terms_required(func):
        return func(request, *args, **kwargs)
    return wrapper

+@require_http_methods(["GET", "POST"])
 @signed_terms_required
 def index(request, login_template_name='im/login.html', profile_template_name='im/profile.html', extra_context={}):
    """
@@ -139,6 +141,7 @@ def index(request, login_template_name='im/login.html', profile_template_name='i
                           login_form = LoginForm(request=request),
                           context_instance = get_context(request, extra_context))

+@require_http_methods(["GET", "POST"])
 @login_required
 @signed_terms_required
 @transaction.commit_manually
@@ -217,6 +220,7 @@ def invite(request, template_name='im/invitations.html', extra_context={}):
                           invitation_form = form,
                           context_instance = context)

+@require_http_methods(["GET", "POST"])
 @login_required
 @signed_terms_required
 def edit_profile(request, template_name='im/profile.html', extra_context={}):
@@ -275,6 +279,7 @@ def edit_profile(request, template_name='im/profile.html', extra_context={}):
                           context_instance = get_context(request,
                                                          extra_context))

+@require_http_methods(["GET", "POST"])
 def signup(request, template_name='im/signup.html', on_success='im/signup_complete.html', extra_context={}, backend=None):
    """
    Allows a user to create a local account.
@@ -355,6 +360,7 @@ def signup(request, template_name='im/signup.html', on_success='im/signup_comple
                           provider = provider,
                           context_instance=get_context(request, extra_context))

+@require_http_methods(["GET", "POST"])
 @login_required
 @signed_terms_required
 def feedback(request, template_name='im/feedback.html', email_template_name='im/feedback_mail.txt', extra_context={}):
@@ -407,6 +413,7 @@ def feedback(request, template_name='im/feedback.html', email_template_name='im/
                           feedback_form = form,
                           context_instance = get_context(request, extra_context))

+@require_http_methods(["GET", "POST"])
 def logout(request, template='registration/logged_out.html', extra_context={}):
    """
    Wraps `django.contrib.auth.logout` and delete the cookie.
@@ -432,6 +439,7 @@ def logout(request, template='registration/logged_out.html', extra_context={}):
    response.write(render_to_string(template, context_instance=context))
    return response

+@require_http_methods(["GET", "POST"])
 @transaction.commit_manually
 def activate(request, greeting_email_template_name='im/welcome_email.txt', helpdesk_email_template_name='im/helpdesk_notification.txt'):
    """
@@ -492,6 +500,7 @@ def activate(request, greeting_email_template_name='im/welcome_email.txt', helpd
            transaction.rollback()
            return index(request)

+@require_http_methods(["GET", "POST"])
 def approval_terms(request, term_id=None, template_name='im/approval_terms.html', extra_context={}):
    term = None
    terms = None
@@ -532,12 +541,16 @@ def approval_terms(request, term_id=None, template_name='im/approval_terms.html'
                               approval_terms_form = form,
                               context_instance = get_context(request, extra_context))

+@require_http_methods(["GET", "POST"])
 @signed_terms_required
 def change_password(request):
    return password_change(request,
                            post_change_redirect=reverse('astakos.im.views.edit_profile'),
                            password_change_form=ExtendedPasswordChangeForm)

+@require_http_methods(["GET", "POST"])
+@login_required
+@signed_terms_required
 @transaction.commit_manually
 def change_email(request, activation_key=None,
                 email_template_name='registration/email_change_email.txt',