From 90d271dc2b32f155538626b26b236bf45f60f255 Mon Sep 17 00:00:00 2001 From: denis defolie Date: Fri, 10 Jul 2026 09:49:36 +0200 Subject: [PATCH] csrf-correction --- etc/1-install-sys.sh | 2 +- test_tube_scanner/home/static/js/w3-custom.js | 10 ++++++++++ .../planarian/templates/planarian/base.html | 2 +- test_tube_scanner/planarian/views.py | 4 +--- test_tube_scanner/scanner/static/scanner/js/replay.js | 2 +- .../scanner/templates/scanner/images.html | 2 +- .../scanner/templates/scanner/replay.html | 4 ++-- test_tube_scanner/scanner/views.py | 3 --- 8 files changed, 17 insertions(+), 12 deletions(-) diff --git a/etc/1-install-sys.sh b/etc/1-install-sys.sh index f72606a..e3e5514 100755 --- a/etc/1-install-sys.sh +++ b/etc/1-install-sys.sh @@ -17,7 +17,7 @@ echo # system echo "==== system essential" -sudo apt -y install build-essential openssl git pkg-config redis supervisor sqlitebrowser samba-client cifs-utils gettext +sudo apt -y install build-essential openssl git pkg-config redis supervisor sqlitebrowser samba-client cifs-utils gettext avahi-daemon echo "==== python3 install" sudo apt -y install python3-dev python3-pip python3-venv libpq-dev default-libmysqlclient-dev libmariadb-dev python3-picamera2 diff --git a/test_tube_scanner/home/static/js/w3-custom.js b/test_tube_scanner/home/static/js/w3-custom.js index 5a37119..3106e18 100644 --- a/test_tube_scanner/home/static/js/w3-custom.js +++ b/test_tube_scanner/home/static/js/w3-custom.js @@ -40,3 +40,13 @@ function timestampToLocalISOString(timestamp) { return toLocalISOString(date); } +function getCookie(name) { + const match = document.cookie.match('(?:^|; )' + name + '=([^;]*)'); + return match ? decodeURIComponent(match[1]) : null; +} + +function csrfFetch(url, options = {}) { + options.headers = { ...(options.headers || {}), 'X-CSRFToken': getCookie('csrftoken') }; + return fetch(url, options); +} + diff --git a/test_tube_scanner/planarian/templates/planarian/base.html b/test_tube_scanner/planarian/templates/planarian/base.html index 09d156c..188b65c 100644 --- a/test_tube_scanner/planarian/templates/planarian/base.html +++ b/test_tube_scanner/planarian/templates/planarian/base.html @@ -58,7 +58,7 @@ }); }); function export_csv(url, pid, mode) { - fetch(url, { + csrfFetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ diff --git a/test_tube_scanner/planarian/views.py b/test_tube_scanner/planarian/views.py index 9e59751..d4fd092 100644 --- a/test_tube_scanner/planarian/views.py +++ b/test_tube_scanner/planarian/views.py @@ -11,7 +11,6 @@ from django.contrib import messages from django.http import JsonResponse, FileResponse from django.shortcuts import redirect from django.utils.translation import gettext_lazy as _ -from django.views.decorators.csrf import csrf_exempt from django.shortcuts import render #, redirect from django.views.decorators.http import require_GET from django.contrib.auth.decorators import login_required @@ -85,8 +84,7 @@ def get_active_session(request, session_id=None, experiment_id=None): # Vue :Export CSV depuis ReductStore # --------------------------------------------------------------------------- @login_required -@csrf_exempt -def export_metrics(request): +def export_metrics(request): data = json.loads(request.body.decode() or "{}") action = data.get("action") pid = data.get("pid") diff --git a/test_tube_scanner/scanner/static/scanner/js/replay.js b/test_tube_scanner/scanner/static/scanner/js/replay.js index c573869..a78bffa 100644 --- a/test_tube_scanner/scanner/static/scanner/js/replay.js +++ b/test_tube_scanner/scanner/static/scanner/js/replay.js @@ -171,7 +171,7 @@ class ReplayManager { const ok = confirm(`Télécharger le fichier ?\n\n${filename}`); if (!ok) return false; - fetch(this.video_endpoint, { + csrfFetch(this.video_endpoint, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ diff --git a/test_tube_scanner/scanner/templates/scanner/images.html b/test_tube_scanner/scanner/templates/scanner/images.html index ad68176..2b435c6 100644 --- a/test_tube_scanner/scanner/templates/scanner/images.html +++ b/test_tube_scanner/scanner/templates/scanner/images.html @@ -101,7 +101,7 @@ function download_all_images(sid) { const ok = confirm(export_msg +' '+ export_msg_long); if (!ok) return false; - fetch(image_endpoint, { + csrfFetch(image_endpoint, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ diff --git a/test_tube_scanner/scanner/templates/scanner/replay.html b/test_tube_scanner/scanner/templates/scanner/replay.html index 42608d2..060f3da 100644 --- a/test_tube_scanner/scanner/templates/scanner/replay.html +++ b/test_tube_scanner/scanner/templates/scanner/replay.html @@ -86,8 +86,8 @@ function download_all_videos(sid) { const ok = confirm(export_msg); - if (!ok) return false; - fetch(image_endpoint, { + if (!ok) return false; + csrfFetch(image_endpoint, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ diff --git a/test_tube_scanner/scanner/views.py b/test_tube_scanner/scanner/views.py index 50f8cba..458e70c 100644 --- a/test_tube_scanner/scanner/views.py +++ b/test_tube_scanner/scanner/views.py @@ -6,7 +6,6 @@ from django.shortcuts import render #, redirect from django.http import JsonResponse, FileResponse from django.utils.translation import gettext_lazy as _ from django.views.decorators.http import require_GET, require_POST -from django.views.decorators.csrf import csrf_exempt from django.contrib.auth.decorators import login_required, user_passes_test from django.conf import settings from django.utils import timezone @@ -252,7 +251,6 @@ def export_medias(request): @require_POST -@csrf_exempt def download_api(request): data = json.loads(request.body.decode() or "{}") try: @@ -314,7 +312,6 @@ def replay_view(request): @require_POST -@csrf_exempt def export_api(request): data = json.loads(request.body.decode() or "{}") session_id = data.get("sid")