darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-02-05 02:42:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix missing CSRF token on send SMS page

Browse Source 
As part of https://github.com/alphagov/notifications-admin/pull/187 the file
upload pattern was changed to auto-submit once a file had been picked. The
form that was submitted was, however, missing a CSRF token, as well as a submit
button for non-JS users.

This commit makes the file upload pattern self-contained, so that it will always
include a form with a CSRF token in a hidden input and a submit button, which is
then hidden when Javascript loads.
This commit is contained in:
Chris Hill-Scott
2016-02-22 21:37:32 +00:00
parent 7280e90c26
commit 16fbfe49a3
6 changed files with 28 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
app/assets/javascripts/fileUpload.js
View File

@@ -3,20 +3,16 @@
Modules.FileUpload = function() { Modules.FileUpload = function() {
let $field; let $form;
this.submit = function() { this.submit = () => $form.trigger('submit');
$field.parents('form').trigger('submit');
};
this.start = function(component) { this.start = function(component) {
$field = $('.file-upload-field', component); $form = $(component);
// Need to put the event on the container, not the input for it to work properly // Need to put the event on the container, not the input for it to work properly
$(component).on('change', '.file-upload-field', this.submit); $form.on('change', '.file-upload-field', this.submit);
}; };

10
app/assets/stylesheets/components/file-upload.scss
View File

@@ -3,9 +3,15 @@
.file-upload { .file-upload {
&-label { &-label {
@include bold-19; @include bold-19;
display: block; display: block;
margin: 0 0 10px 0; margin: 0 0 10px 0;
.error-message {
padding: 0;
}
} }
&-field { &-field {
@@ -33,6 +39,10 @@
padding-left: $gutter-half; padding-left: $gutter-half;
} }
&-submit {
display: none;
}
} }
} }

6
app/templates/components/file-upload.html
View File

@@ -1,5 +1,5 @@
{% macro file_upload(field, button_text="Choose file") %} {% macro file_upload(field, button_text="Choose file") %}
<div class="form-group{% if field.errors %} error{% endif %}" data-module="file-upload"> <form method="post" enctype="multipart/form-data" class="form-group{% if field.errors %} error{% endif %}" data-module="file-upload">
<label class="file-upload-label" for="{{ field.name }}"> <label class="file-upload-label" for="{{ field.name }}">
<span class="visually-hidden">{{ field.label }}</span> <span class="visually-hidden">{{ field.label }}</span>
{% if hint %} {% if hint %}
@@ -20,5 +20,7 @@
{{ button_text }} {{ button_text }}
</label> </label>
<label class="file-upload-filename" for="{{ field.name }}"></label> <label class="file-upload-filename" for="{{ field.name }}"></label>
</div> <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<input type="submit" class="file-upload-submit" value="Submit" />
</form>
{% endmacro %} {% endmacro %}

7
app/templates/views/check-sms.html
View File

@@ -45,12 +45,7 @@
<a href="{{url_for('.send_sms', service_id=service_id, template_id=template.id)}}" class="page-footer-back-link">Back</a> <a href="{{url_for('.send_sms', service_id=service_id, template_id=template.id)}}" class="page-footer-back-link">Back</a>
</form> </form>
{% else %} {% else %}
<form method="post" action="{{ url_for('.send_sms', service_id=service_id, template_id=template.id) }}" enctype="multipart/form-data"> {{file_upload(form.file, button_text='Upload a CSV file')}}
{{file_upload(form.file, button_text='Choose a CSV file')}}
{{ page_footer(
"Upload"
) }}
</form>
{% endif %} {% endif %}
{% call(item) list_table( {% call(item) list_table(

19
app/templates/views/send-sms.html
View File

@@ -12,19 +12,16 @@
<h1 class="heading-large">Add recipients</h1> <h1 class="heading-large">Add recipients</h1>
<form method="POST" enctype="multipart/form-data"> <div class="grid-row">
<div class="column-two-thirds">
<div class="grid-row"> {{ sms_message(template.formatted_as_markup) }}
<div class="column-two-thirds">
{{ sms_message(template.formatted_as_markup) }}
</div>
</div> </div>
</div>
<p> <p>
<a href="{{ url_for('.get_example_csv', service_id=service_id, template_id=template.id) }}">Download an example CSV file</a> <a href="{{ url_for('.get_example_csv', service_id=service_id, template_id=template.id) }}">Download an example CSV file</a>
</p> </p>
{{file_upload(form.file, button_text='Upload a CSV file')}} {{file_upload(form.file, button_text='Upload a CSV file')}}
</form>
{% endblock %} {% endblock %}

2
tests/app/main/views/test_sms.py
View File

@@ -66,7 +66,7 @@ def test_upload_csvfile_with_invalid_phone_shows_check_page_with_errors(app_,
assert 'Your CSV file contained missing or invalid data' in content assert 'Your CSV file contained missing or invalid data' in content
assert '+44 123' in content assert '+44 123' in content
assert '+44 456' in content assert '+44 456' in content
assert 'Choose a CSV file' in content assert 'Upload a CSV file' in content
@moto.mock_s3 @moto.mock_s3