csrf-correction

This commit is contained in:
denis defolie
2026-07-10 09:49:36 +02:00
parent 695e59174a
commit 90d271dc2b
8 changed files with 17 additions and 12 deletions
+1 -1
View File
@@ -17,7 +17,7 @@ echo
# system # system
echo "==== system essential" echo "==== system essential"
sudo apt -y install build-essential openssl git pkg-config redis supervisor sqlitebrowser samba-client cifs-utils gettext sudo apt -y install build-essential openssl git pkg-config redis supervisor sqlitebrowser samba-client cifs-utils gettext avahi-daemon
echo "==== python3 install" echo "==== python3 install"
sudo apt -y install python3-dev python3-pip python3-venv libpq-dev default-libmysqlclient-dev libmariadb-dev python3-picamera2 sudo apt -y install python3-dev python3-pip python3-venv libpq-dev default-libmysqlclient-dev libmariadb-dev python3-picamera2
@@ -40,3 +40,13 @@ function timestampToLocalISOString(timestamp) {
return toLocalISOString(date); return toLocalISOString(date);
} }
function getCookie(name) {
const match = document.cookie.match('(?:^|; )' + name + '=([^;]*)');
return match ? decodeURIComponent(match[1]) : null;
}
function csrfFetch(url, options = {}) {
options.headers = { ...(options.headers || {}), 'X-CSRFToken': getCookie('csrftoken') };
return fetch(url, options);
}
@@ -58,7 +58,7 @@
}); });
}); });
function export_csv(url, pid, mode) { function export_csv(url, pid, mode) {
fetch(url, { csrfFetch(url, {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ body: JSON.stringify({
-2
View File
@@ -11,7 +11,6 @@ from django.contrib import messages
from django.http import JsonResponse, FileResponse from django.http import JsonResponse, FileResponse
from django.shortcuts import redirect from django.shortcuts import redirect
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from django.views.decorators.csrf import csrf_exempt
from django.shortcuts import render #, redirect from django.shortcuts import render #, redirect
from django.views.decorators.http import require_GET from django.views.decorators.http import require_GET
from django.contrib.auth.decorators import login_required from django.contrib.auth.decorators import login_required
@@ -85,7 +84,6 @@ def get_active_session(request, session_id=None, experiment_id=None):
# Vue :Export CSV depuis ReductStore # Vue :Export CSV depuis ReductStore
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
@login_required @login_required
@csrf_exempt
def export_metrics(request): def export_metrics(request):
data = json.loads(request.body.decode() or "{}") data = json.loads(request.body.decode() or "{}")
action = data.get("action") action = data.get("action")
@@ -171,7 +171,7 @@ class ReplayManager {
const ok = confirm(`Télécharger le fichier ?\n\n${filename}`); const ok = confirm(`Télécharger le fichier ?\n\n${filename}`);
if (!ok) return false; if (!ok) return false;
fetch(this.video_endpoint, { csrfFetch(this.video_endpoint, {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ body: JSON.stringify({
@@ -101,7 +101,7 @@
function download_all_images(sid) { function download_all_images(sid) {
const ok = confirm(export_msg +' '+ export_msg_long); const ok = confirm(export_msg +' '+ export_msg_long);
if (!ok) return false; if (!ok) return false;
fetch(image_endpoint, { csrfFetch(image_endpoint, {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ body: JSON.stringify({
@@ -87,7 +87,7 @@
function download_all_videos(sid) { function download_all_videos(sid) {
const ok = confirm(export_msg); const ok = confirm(export_msg);
if (!ok) return false; if (!ok) return false;
fetch(image_endpoint, { csrfFetch(image_endpoint, {
method: 'POST', method: 'POST',
headers: { 'Content-Type': 'application/json' }, headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ body: JSON.stringify({
-3
View File
@@ -6,7 +6,6 @@ from django.shortcuts import render #, redirect
from django.http import JsonResponse, FileResponse from django.http import JsonResponse, FileResponse
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from django.views.decorators.http import require_GET, require_POST from django.views.decorators.http import require_GET, require_POST
from django.views.decorators.csrf import csrf_exempt
from django.contrib.auth.decorators import login_required, user_passes_test from django.contrib.auth.decorators import login_required, user_passes_test
from django.conf import settings from django.conf import settings
from django.utils import timezone from django.utils import timezone
@@ -252,7 +251,6 @@ def export_medias(request):
@require_POST @require_POST
@csrf_exempt
def download_api(request): def download_api(request):
data = json.loads(request.body.decode() or "{}") data = json.loads(request.body.decode() or "{}")
try: try:
@@ -314,7 +312,6 @@ def replay_view(request):
@require_POST @require_POST
@csrf_exempt
def export_api(request): def export_api(request):
data = json.loads(request.body.decode() or "{}") data = json.loads(request.body.decode() or "{}")
session_id = data.get("sid") session_id = data.get("sid")