From 1cdb6e6d1d1a5bed7026132ed316213e60cb6be1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?=
Date: Fri, 6 Dec 2019 08:58:32 +0200
Subject: [PATCH] Don't set CSRF cookie on first visit. Signup is exempt from
CSRF protection.
---
CHANGELOG.md | 3 +++
hc/accounts/views.py | 1 +
static/js/signup.js | 2 --
templates/front/signup_modal.html | 2 --
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index be737b34..77c6ed06 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ All notable changes to this project will be documented in this file.
- Show Healthchecks version in Django admin header (#306)
- Added JSON endpoint for Shields.io (#304)
+### Bug Fixes
+- Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection.
+
## v1.11.0 - 2019-11-22
diff --git a/hc/accounts/views.py b/hc/accounts/views.py
index ebe8dd0c..e7b7b614 100644
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@@ -144,6 +144,7 @@ def logout(request):
@require_POST
+@csrf_exempt
def signup(request):
if not settings.REGISTRATION_OPEN:
return HttpResponseForbidden()
diff --git a/static/js/signup.js b/static/js/signup.js
index 80078dfa..a674694f 100644
--- a/static/js/signup.js
+++ b/static/js/signup.js
@@ -3,13 +3,11 @@ $(function () {
function submitForm() {
var base = document.getElementById("base-url").getAttribute("href").slice(0, -1);
var email = $("#signup-email").val();
- var token = $('input[name=csrfmiddlewaretoken]').val();
$("#signup-go").prop("disabled", true);
$.ajax({
url: base + "/accounts/signup/",
type: "post",
- headers: {"X-CSRFToken": token},
data: {"identity": email},
success: function(data) {
$("#signup-result").html(data).show();
diff --git a/templates/front/signup_modal.html b/templates/front/signup_modal.html
index 65740798..c20b692d 100644
--- a/templates/front/signup_modal.html
+++ b/templates/front/signup_modal.html
@@ -20,8 +20,6 @@
We will email you a magic sign in link.
-
- {% csrf_token %}