Checklist

Check-in [1e0662e9e3]
Login

Check-in [1e0662e9e3]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Add a warning to the login page if the client is not sending Referer headers.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 1e0662e9e382308ac852da768d269904b8c27011
User & Date: drh 2018-01-30 20:39:28.849
Context
2018-01-30
23:47
Update to make use of SAME_ORIGIN. check-in: 0280010860 user: drh tags: trunk
20:39
Add a warning to the login page if the client is not sending Referer headers. check-in: 1e0662e9e3 user: drh tags: trunk
19:09
Omit all use of the global ::wapp dict check-in: 7b0c5b9f45 user: drh tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to checklist.tcl.
154
155
156
157
158
159
160










161
162
163
164
165
166
167
                          AND hex(value)=$px}]
    if {$ok} {
      wapp-set-cookie checklist-login $u,$px
      wapp-redirect index
      return
    }
    wapp-subst {<p class='error'>Invalid username or password</p>\n}










  }
  wapp-trim {
    <form method='POST' action='login'>
    <table border="0">
    <tr><td align='right'>Login:&nbsp;</td>
        <td><input type='text' name='u' width='20'></td></tr>
    <tr><td align='right'>Password:&nbsp;</td>







>
>
>
>
>
>
>
>
>
>







154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
                          AND hex(value)=$px}]
    if {$ok} {
      wapp-set-cookie checklist-login $u,$px
      wapp-redirect index
      return
    }
    wapp-subst {<p class='error'>Invalid username or password</p>\n}
  }
  if {![wapp-param-exists HTTP_REFERER]} {
    wapp-trim {
       <h2>Warning: No "Referer" header</h2>
       <p> As a defense against cross-site request forgeries, this website
       ignores all POST requests that omit the "Referer:" from the header.
       The request that resulted in this page has no "Referer:" entry 
       in the header.
       So, unless something changes, you won't be able to log in.</p>
    }
  }
  wapp-trim {
    <form method='POST' action='login'>
    <table border="0">
    <tr><td align='right'>Login:&nbsp;</td>
        <td><input type='text' name='u' width='20'></td></tr>
    <tr><td align='right'>Password:&nbsp;</td>
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
    }
  }
  while {$level>0} {
    wapp-subst {</ol>\n}
    incr level -1
  }

  # Render the edit dialog box.  CSS sets display: none on this so that
  # it does not appear.  Javascript will turn it on and position it on
  # the correct element following any click on the checklist.
  #
  if {![wapp-param WRITE 0]} {
    wapp-trim {
      <div id="editBox">
      <form id="editForm" method="POST">







|







237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
    }
  }
  while {$level>0} {
    wapp-subst {</ol>\n}
    incr level -1
  }

  # Render the edit dialog box. CSS sets "display: none;" on this so that
  # it does not appear.  Javascript will turn it on and position it on
  # the correct element following any click on the checklist.
  #
  if {![wapp-param WRITE 0]} {
    wapp-trim {
      <div id="editBox">
      <form id="editForm" method="POST">
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
      </table>
      </form>
      </div>
    }
  }
    
  # The cklistUser object is JSON that contains information about the
  # login user and the capabilities of the login user, which is the
  # javascript code needs to know in order to activate various features.
  #
  wapp-subst {<script id='cklistUser' type='application/json'>}
  if {![wapp-param CKLIST_WRITE]} {
    wapp-subst {{"user":"","canWrite":0,"isAdmin":0}}
  } else {
    set u [wapp-param CKLIST_USER]







|







271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
      </table>
      </form>
      </div>
    }
  }
    
  # The cklistUser object is JSON that contains information about the
  # login user and the capabilities of the login user, which the
  # javascript code needs to know in order to activate various features.
  #
  wapp-subst {<script id='cklistUser' type='application/json'>}
  if {![wapp-param CKLIST_WRITE]} {
    wapp-subst {{"user":"","canWrite":0,"isAdmin":0}}
  } else {
    set u [wapp-param CKLIST_USER]