Merge pull request #3157 from Uninett/fix-csrf-token-rendering-in-for…

…m-template Always render hidden CSRF token input in reusable non-crispy templates
Uninett · Nov 7, 2024 · ca3d09f · ca3d09f
2 parents c3c1ff7 + 713ce0f
commit ca3d09f
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 3 deletions.
diff --git a/changelog.d/3157.security.md b/changelog.d/3157.security.md
@@ -0,0 +1 @@
+Ensure that CSRF token info is included when reusing NAV's form templates. This means that flat_form.html and _form_content.html templates will always include a hidden CSRF token input regardless of which form method is set.
diff --git a/python/nav/web/templates/custom_crispy_templates/_form_content.html b/python/nav/web/templates/custom_crispy_templates/_form_content.html
@@ -1,9 +1,7 @@
 {# NB! This template can be used directly (without form template wrapper) for cases where form.helper.form_tag is set to False. #}
 {% load forms %}
 
-{% if form.attrs.method|lower == 'post' %}
-  {% csrf_token %}
-{% endif %}
+{% csrf_token %}
 
 {% include 'foundation-5/errors.html' %}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Ensure that CSRF token info is included when reusing NAV's form templates. This means that flat_form.html and _form_content.html templates will always include a hidden CSRF token input regardless of which form method is set.