search

freeipa / ipa-tuura

GNU General Public License v3.0
9 stars 12 forks source link

Enable CSRF protection for the creds app #81

Closed f-trivino closed 11 months ago

f-trivino commented 11 months ago

Enable CSRF protection for the creds app, based on:

https://docs.djangoproject.com/en/1.8/ref/csrf/#how-it-works

Example from keycloak plugin: https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/commit/5e201e59be9630ac0551b9d06509401d24740242

flo-renaud commented 11 months ago

This would have to be double-checked, is anything really missing? The form already contains {% csrf_token %}: https://github.com/freeipa/ipa-tuura/blob/8efb132b69b25c1f89f99028244310176426b5fb/src/ipa-tuura/creds/templates/creds/simple_pwd.html#L13C9-L13C25

and in settings.py we have MIDDLEWARE = [ ... , 'django.middleware.csrf.CsrfViewMiddleware', ...]: https://github.com/freeipa/ipa-tuura/blob/main/src/ipa-tuura/root/settings.py#L55

f-trivino commented 11 months ago

thanks @flo-renaud !!!, looks like changes are only needed in the keycloak plugin. @justin-stephenson will test and close this ticket if no issues.

justin-stephenson commented 11 months ago

Fix here https://github.com/justin-stephenson/scim-keycloak-user-storage-spi/pull/15 is working in my limited testing.

f-trivino commented 11 months ago

thank you @justin-stephenson , I'm closing this ticket.