From 130605a04c872fdde22458271778eb1bdf9e7508 Mon Sep 17 00:00:00 2001
From: Martin Mahner <martin@mahner.org>
Date: Tue, 17 Dec 2013 22:52:21 +0100
Subject: [PATCH] Added csrf support. Closes issue #34.

---
 dpaste/disable.py                  | 3 ---
 dpaste/settings/__init__.py        | 2 +-
 dpaste/templates/dpaste/about.html | 1 +
 dpaste/views.py                    | 2 ++
 4 files changed, 4 insertions(+), 4 deletions(-)
 delete mode 100644 dpaste/disable.py

diff --git a/dpaste/disable.py b/dpaste/disable.py
deleted file mode 100644
index 5e0795a..0000000
--- a/dpaste/disable.py
+++ /dev/null
@@ -1,3 +0,0 @@
-class DisableCSRF(object):
-    def process_request(self, request):
-        setattr(request, '_dont_enforce_csrf_checks', True)
diff --git a/dpaste/settings/__init__.py b/dpaste/settings/__init__.py
index 185ab4a..63e3e39 100644
--- a/dpaste/settings/__init__.py
+++ b/dpaste/settings/__init__.py
@@ -83,7 +83,7 @@ LOGIN_REDIRECT_URL = '/'
 #==============================================================================
 
 MIDDLEWARE_CLASSES = (
-    'dpaste.disable.DisableCSRF',
+    'django.middleware.csrf.CsrfViewMiddleware',
     'django.middleware.common.CommonMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
diff --git a/dpaste/templates/dpaste/about.html b/dpaste/templates/dpaste/about.html
index c7c3839..ddf70b3 100644
--- a/dpaste/templates/dpaste/about.html
+++ b/dpaste/templates/dpaste/about.html
@@ -72,6 +72,7 @@
     </p>
 
     <form method="POST" action="{% url "snippet_delete" %}">
+        {% csrf_token %}
         <input name="snippet_id"> <input type="Submit" value="Submit"/>
     </form>
 
diff --git a/dpaste/views.py b/dpaste/views.py
index 629608f..1a757d0 100644
--- a/dpaste/views.py
+++ b/dpaste/views.py
@@ -14,6 +14,7 @@ from django.core.urlresolvers import reverse
 from django.db.models import Count
 from django.views.defaults import (page_not_found as django_page_not_found,
     server_error as django_server_error)
+from django.views.decorators.csrf import csrf_exempt
 
 from dpaste.forms import SnippetForm
 from dpaste.models import Snippet
@@ -265,6 +266,7 @@ FORMAT_MAPPING = {
     'json': _format_json,
 }
 
+@csrf_exempt
 def snippet_api(request):
     content = request.POST.get('content', '').strip()
     lexer = request.POST.get('lexer', LEXER_DEFAULT).strip()