From 1cdb6e6d1d1a5bed7026132ed316213e60cb6be1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C4=93teris=20Caune?= Date: Fri, 6 Dec 2019 08:58:32 +0200 Subject: [PATCH] Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection. --- CHANGELOG.md | 3 +++ hc/accounts/views.py | 1 + static/js/signup.js | 2 -- templates/front/signup_modal.html | 2 -- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index be737b34..77c6ed06 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,9 @@ All notable changes to this project will be documented in this file. - Show Healthchecks version in Django admin header (#306) - Added JSON endpoint for Shields.io (#304) +### Bug Fixes +- Don't set CSRF cookie on first visit. Signup is exempt from CSRF protection. + ## v1.11.0 - 2019-11-22 diff --git a/hc/accounts/views.py b/hc/accounts/views.py index ebe8dd0c..e7b7b614 100644 --- a/hc/accounts/views.py +++ b/hc/accounts/views.py @@ -144,6 +144,7 @@ def logout(request): @require_POST +@csrf_exempt def signup(request): if not settings.REGISTRATION_OPEN: return HttpResponseForbidden() diff --git a/static/js/signup.js b/static/js/signup.js index 80078dfa..a674694f 100644 --- a/static/js/signup.js +++ b/static/js/signup.js @@ -3,13 +3,11 @@ $(function () { function submitForm() { var base = document.getElementById("base-url").getAttribute("href").slice(0, -1); var email = $("#signup-email").val(); - var token = $('input[name=csrfmiddlewaretoken]').val(); $("#signup-go").prop("disabled", true); $.ajax({ url: base + "/accounts/signup/", type: "post", - headers: {"X-CSRFToken": token}, data: {"identity": email}, success: function(data) { $("#signup-result").html(data).show(); diff --git a/templates/front/signup_modal.html b/templates/front/signup_modal.html index 65740798..c20b692d 100644 --- a/templates/front/signup_modal.html +++ b/templates/front/signup_modal.html @@ -20,8 +20,6 @@ We will email you a magic sign in link.

- - {% csrf_token %}