Add XSRF to form

rcthomas · Jun 4, 2024 · cf321d2 · cf321d2
1 parent 8393df3
commit cf321d2
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 0 deletions.
diff --git a/jupyterhub_announcement/announcement.py b/jupyterhub_announcement/announcement.py
@@ -149,6 +149,7 @@ def initialize(self, argv=None):
             "static_path": os.path.join(self.data_files_path, "static"),
             "static_url_prefix": url_path_join(self.service_prefix, "static/"),
             "log": self.log,
+            "xsrf_cookies": True,
         }
 
         self.app = web.Application(

diff --git a/jupyterhub_announcement/handlers.py b/jupyterhub_announcement/handlers.py
@@ -46,6 +46,7 @@ def get(self):
                 base_url=prefix,
                 no_spawner_check=True,
                 parsed_scopes=user.get("hub_scopes") or [],
+                xsrf_form_html=self.xsrf_form_html,
             )
         )
 

diff --git a/templates/index.html b/templates/index.html
@@ -15,6 +15,7 @@
   {% if user.admin %}
   <div class="row">
     <form action="/services/announcement/update" method="post" class="col-md-offset-3 col-md-6">
+      {{ xsrf_form_html() | safe }}
       <div class="form-group">
         <label for="announcement">Announcement</label>
         <textarea class="form-control" id="announcement" name="announcement" rows="2" placeholder="Announcement text..."></textarea>