csrf-correction

This commit is contained in:
denis defolie
2026-07-10 09:49:36 +02:00
parent 695e59174a
commit 90d271dc2b
8 changed files with 17 additions and 12 deletions
+1 -1
View File
@@ -17,7 +17,7 @@ echo
# system
echo "==== system essential"
sudo apt -y install build-essential openssl git pkg-config redis supervisor sqlitebrowser samba-client cifs-utils gettext
sudo apt -y install build-essential openssl git pkg-config redis supervisor sqlitebrowser samba-client cifs-utils gettext avahi-daemon
echo "==== python3 install"
sudo apt -y install python3-dev python3-pip python3-venv libpq-dev default-libmysqlclient-dev libmariadb-dev python3-picamera2
@@ -40,3 +40,13 @@ function timestampToLocalISOString(timestamp) {
return toLocalISOString(date);
}
function getCookie(name) {
const match = document.cookie.match('(?:^|; )' + name + '=([^;]*)');
return match ? decodeURIComponent(match[1]) : null;
}
function csrfFetch(url, options = {}) {
options.headers = { ...(options.headers || {}), 'X-CSRFToken': getCookie('csrftoken') };
return fetch(url, options);
}
@@ -58,7 +58,7 @@
});
});
function export_csv(url, pid, mode) {
fetch(url, {
csrfFetch(url, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
+1 -3
View File
@@ -11,7 +11,6 @@ from django.contrib import messages
from django.http import JsonResponse, FileResponse
from django.shortcuts import redirect
from django.utils.translation import gettext_lazy as _
from django.views.decorators.csrf import csrf_exempt
from django.shortcuts import render #, redirect
from django.views.decorators.http import require_GET
from django.contrib.auth.decorators import login_required
@@ -85,8 +84,7 @@ def get_active_session(request, session_id=None, experiment_id=None):
# Vue :Export CSV depuis ReductStore
# ---------------------------------------------------------------------------
@login_required
@csrf_exempt
def export_metrics(request):
def export_metrics(request):
data = json.loads(request.body.decode() or "{}")
action = data.get("action")
pid = data.get("pid")
@@ -171,7 +171,7 @@ class ReplayManager {
const ok = confirm(`Télécharger le fichier ?\n\n${filename}`);
if (!ok) return false;
fetch(this.video_endpoint, {
csrfFetch(this.video_endpoint, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
@@ -101,7 +101,7 @@
function download_all_images(sid) {
const ok = confirm(export_msg +' '+ export_msg_long);
if (!ok) return false;
fetch(image_endpoint, {
csrfFetch(image_endpoint, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
@@ -86,8 +86,8 @@
function download_all_videos(sid) {
const ok = confirm(export_msg);
if (!ok) return false;
fetch(image_endpoint, {
if (!ok) return false;
csrfFetch(image_endpoint, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
-3
View File
@@ -6,7 +6,6 @@ from django.shortcuts import render #, redirect
from django.http import JsonResponse, FileResponse
from django.utils.translation import gettext_lazy as _
from django.views.decorators.http import require_GET, require_POST
from django.views.decorators.csrf import csrf_exempt
from django.contrib.auth.decorators import login_required, user_passes_test
from django.conf import settings
from django.utils import timezone
@@ -252,7 +251,6 @@ def export_medias(request):
@require_POST
@csrf_exempt
def download_api(request):
data = json.loads(request.body.decode() or "{}")
try:
@@ -314,7 +312,6 @@ def replay_view(request):
@require_POST
@csrf_exempt
def export_api(request):
data = json.loads(request.body.decode() or "{}")
session_id = data.get("sid")