bjoern/Hellas-Wawi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a8b26a25dad04ddd3250f477d65ea751af968f41
Hellas-Wawi/wawi/templates/users.html
Bjoern Welker e062a1e836 security: add CSRF protection to all forms 
- Add Flask-WTF dependency for CSRF protection
- Initialize CSRFProtect in app.py
- Add CSRF tokens to all POST forms in templates
- Exempt /order JSON API endpoint (uses API key instead)

This protects against Cross-Site Request Forgery attacks on all
admin and user management operations.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-06 08:01:22 +01:00

69 lines
2.2 KiB
HTML
Executable File
Raw Blame History

{% extends "base.html" %}
{% block content %}
<div class="card form-card">
<h2>Benutzer verwalten</h2>
{% if error %}
<div class="note">{{ error }}</div>
{% endif %}
{% with messages = get_flashed_messages() %}
{% if messages %}
<div class="note">
{% for m in messages %}
<div>{{ m }}</div>
{% endfor %}
</div>
{% endif %}
{% endwith %}
<form method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="form-grid">
<label>
Benutzername
<input type="text" name="username" required />
</label>
<label>
Passwort
<input type="password" name="password" required />
</label>
</div>
<div class="form-actions">
<button class="btn btn-accent" type="submit">Anlegen</button>
</div>
</form>
</div>
<div class="card" style="margin-top: 14px;">
<table>
<thead>
<tr>
<th>Benutzer</th>
<th>Erstellt</th>
<th class="actions">Aktion</th>
</tr>
</thead>
<tbody>
{% for u in rows %}
<tr>
<td>{{ u.username }}</td>
<td>{{ u.created_at }}</td>
<td class="actions">
<form method="post" action="{{ url_for('bp.reset_user_password', user_id=u.id) }}" onsubmit="return confirm('Passwort für diesen Benutzer wirklich zurücksetzen?');">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button class="btn small" type="submit">Passwort neu</button>
</form>
<form method="post" action="{{ url_for('bp.delete_user', user_id=u.id) }}" onsubmit="return confirm('Benutzer wirklich löschen?');">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button class="btn small danger" type="submit">Löschen</button>
</form>
</td>
</tr>
{% else %}
<tr>
<td colspan="3" class="empty">Keine Benutzer.</td>
</tr>
{% endfor %}
</tbody>
</table>
</div>
{% endblock %}
Reference in New Issue View Git Blame Copy Permalink