bjoern/Hellas-Wawi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e062a1e83606e7a49996b3f2dbc1b31b9241dc64
Hellas-Wawi/wawi/templates/orders.html
Bjoern Welker e062a1e836 security: add CSRF protection to all forms 
- Add Flask-WTF dependency for CSRF protection
- Initialize CSRFProtect in app.py
- Add CSRF tokens to all POST forms in templates
- Exempt /order JSON API endpoint (uses API key instead)

This protects against Cross-Site Request Forgery attacks on all
admin and user management operations.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-06 08:01:22 +01:00

82 lines
2.8 KiB
HTML
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{% extends "base.html" %}
{% block content %}
{% with messages = get_flashed_messages() %}
{% if messages %}
<div class="note">
{% for m in messages %}
<div>{{ m }}</div>
{% endfor %}
</div>
{% endif %}
{% endwith %}
<div class="card">
<table>
<thead>
<tr>
<th>Datum</th>
<th>Name</th>
<th>Handy</th>
<th>Mannschaft</th>
<th>Artikel</th>
<th>Größe</th>
<th>Menge</th>
<th>Notiz</th>
<th>Status</th>
<th class="actions">Aktion</th>
</tr>
</thead>
<tbody>
{% for o in rows %}
<tr>
<td>{{ o.created_at }}</td>
<td>{{ o.name }}</td>
<td>{{ o.handy }}</td>
<td>{{ o.mannschaft }}</td>
<td>{{ o.artikel }}</td>
<td>{{ o.groesse }}</td>
<td>{{ o.menge }}</td>
<td>{{ o.notiz or "" }}</td>
<td>
{% if o.canceled %}Storniert
{% elif o.done %}Erledigt
{% else %}Offen
{% endif %}
</td>
<td class="actions">
{% if not o.done and not o.canceled %}
<form method="post" action="{{ url_for('bp.complete_order', order_id=o.id) }}" onsubmit="return confirm('Bestellung als erledigt markieren?');">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button class="btn small" type="submit">Erledigt</button>
</form>
<form method="post" action="{{ url_for('bp.cancel_order', order_id=o.id) }}" onsubmit="return confirm('Bestellung wirklich stornieren?');">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button class="btn small danger" type="submit">Stornieren</button>
</form>
{% else %}
{% endif %}
</td>
</tr>
<tr class="order-history">
<td colspan="10">
<details class="inline-details">
<summary>Historie</summary>
<div class="history-grid">
<div><strong>Abgeschlossen von:</strong> {{ o.completed_by or "" }}</div>
<div><strong>Abgeschlossen am:</strong> {{ o.completed_at or "" }}</div>
<div><strong>Storniert von:</strong> {{ o.canceled_by or "" }}</div>
<div><strong>Storniert am:</strong> {{ o.canceled_at or "" }}</div>
</div>
</details>
</td>
</tr>
{% else %}
<tr>
<td colspan="10" class="empty">Keine Bestellungen.</td>
</tr>
{% endfor %}
</tbody>
</table>
</div>
{% endblock %}
Reference in New Issue View Git Blame Copy Permalink