- **summary**: Provide non-javascript fallback behavior --> Move CSRF token insertion from JS to easywidgets - Description has changed:
Diff: ~~~~ --- old +++ new @@ -1,3 +1,5 @@ -Site functions should continue to work with Javascript disabled. +Standard forms across on Allura have a `_session_id` field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection. -Ref: [forge:site-support:#2017] +For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The `ForgeForm` class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that. + +AJAX forms can stay as-is, they use JS already anyway. ~~~~ --- ** [tickets:#5475] Move CSRF token insertion from JS to easywidgets** **Status:** open **Labels:** support p3 **Created:** Mon Dec 17, 2012 09:27 PM UTC by Rich Bowen **Last Updated:** Wed Apr 24, 2013 01:18 PM UTC **Owner:** nobody Standard forms across on Allura have a `_session_id` field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection. For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The `ForgeForm` class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that. AJAX forms can stay as-is, they use JS already anyway. --- Sent from sourceforge.net because [email protected] is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
