Protect trade with CSRF

pflaenzli/pflaenzli/sitemaps.py

@@ -0,0 +1,13 @@
+from django.contrib import sitemaps
+from django.urls import reverse
+
+
+class StaticViewSitemap(sitemaps.Sitemap):
+    priority = 0.5
+    changefreq = 'monthly'
+
+    def items(self):
+        return ['index', 'list_offers', 'create_offer', 'register_user', 'faq', 'imprint']
+
+    def location(self, item):
+        return reverse(item)

pflaenzli/pflaenzli/templates/403.html

@@ -0,0 +1,18 @@
+{% extends 'base.html' %}
+{% load i18n %}
+{% block title %}
+    {% trans "Not found" %}
+{% endblock title %}
+{% block content %}
+    <div>
+        <h1 class="mb-5">
+            <span class="badge bg-danger">Error 403</span> {% trans "Forbidden" %}
+        </h1>
+        <p class="mb-5 blockquote w-75 m-auto">
+            {% blocktrans %}Halt! You've reached a forbidden enclave. Access to this hidden sanctuary is restricted, and its secrets are reserved for chosen ones. We apologize for any inconvenience caused by this unattainable allure.Please explore the accessible realms of our botanical wonders while the forbidden gates remain sealed. If you think your worthy, please let your message reach us.{% endblocktrans %}
+        </p>
+        <h2>{% trans "What now?" %}</h2>
+        <a href="{% url 'index' %}" class="btn btn-pfl">{% trans "Go home" %}</a>
+        <a href="mailto:contact@pflaenz.li" class="btn btn-secondary">{% trans "Report error" %}</a>
+    </div>
+{% endblock content %}

pflaenzli/pflaenzli/templates/403_csrf.html

@@ -0,0 +1,18 @@
+{% extends 'base.html' %}
+{% load i18n %}
+{% block title %}
+    {% trans "Not found" %}
+{% endblock title %}
+{% block content %}
+    <div>
+        <h1 class="mb-5">
+            <span class="badge bg-danger">Error 403</span> {% trans "Forbidden" %} ({% trans "CSRF verification failed" %})
+        </h1>
+        <p class="mb-5 blockquote w-75 m-auto">
+            {% blocktrans %}Halt! Only bearers of the CSRF token are allowed past this point. This protective enchantment prevents unauthorized actions and ensures security. Please ensure the validity of your session and attempt again. Should you seek further guidance, our plant mystics stands ready to lend their wisdom and support on your journey.{% endblocktrans %}
+        </p>
+        <h2>{% trans "What now?" %}</h2>
+        <a href="{% url 'index' %}" class="btn btn-pfl">{% trans "Go home" %}</a>
+        <a href="mailto:contact@pflaenz.li" class="btn btn-secondary">{% trans "Report error" %}</a>
+    </div>
+{% endblock content %}

pflaenzli/pflaenzli/templates/404.html

@@ -0,0 +1,18 @@
+{% extends 'base.html' %}
+{% load i18n %}
+{% block title %}
+    {% trans "Not found" %}
+{% endblock title %}
+{% block content %}
+    <div>
+        <h1 class="mb-5">
+            <span class="badge bg-danger">Error 404</span> {% trans "Page not found" %}
+        </h1>
+        <p class="mb-5 blockquote w-75 m-auto">
+            {% blocktrans %}Alas! Your path has led you astray in the depths of the enchanted forest. The elusive plant you seek has hidden itself amidst the mystical foliage. If you have a map, please share it with us!{% endblocktrans %}
+        </p>
+        <h2>{% trans "What now?" %}</h2>
+        <a href="{% url 'index' %}" class="btn btn-pfl">{% trans "Go home" %}</a>
+        <a href="mailto:contact@pflaenz.li" class="btn btn-secondary">{% trans "Report error" %}</a>
+    </div>
+{% endblock content %}

pflaenzli/pflaenzli/templates/500.html

@@ -0,0 +1,18 @@
+{% extends 'base.html' %}
+{% load i18n %}
+{% block title %}
+    {% trans "Not found" %}
+{% endblock title %}
+{% block content %}
+    <div>
+        <h1 class="mb-5">
+            <span class="badge bg-danger">Error 500</span> {% trans "Forbidden" %}
+        </h1>
+        <p class="mb-5 blockquote w-75 m-auto">
+            {% blocktrans %}Uh-oh! The delicate balance of the botanical realms has been disrupted. The forces of nature are in disarray, and our plant guardians are diligently working to restore harmony. We apologize for any inconvenience caused during this mystical turbulence. Please bear with us as we channel our magic to mend the rupture. Please contact us, if you have any information that could help to dispel the dark magic!{% endblocktrans %}
+        </p>
+        <h2>{% trans "What now?" %}</h2>
+        <a href="{% url 'index' %}" class="btn btn-pfl">{% trans "Go home" %}</a>
+        <a href="mailto:contact@pflaenz.li" class="btn btn-secondary">{% trans "Report error" %}</a>
+    </div>
+{% endblock content %}

pflaenzli/pflaenzli/templates/offer/detail.html

@@ -86,6 +86,10 @@
                 <div class="alert alert-warning" role="alert">{% trans "There are currently no wishes!" %}</div>
             {% endif %}
         </div>
-        <a class="btn btn-pfl mb-3" href="{% url 'offer_trade' offer.id %}">{% trans "Offer trade" %}</a>
+        <form method="post" action="{% url 'offer_trade' %}">
+            {% csrf_token %}
+            <input type="hidden" name="offer" value="{{ offer.id }}"/>
+            <button class="btn btn-pfl mb-3" data-umami-event="Trade offer">{% trans "Offer trade" %}</button>
+        </form>
     {% endif %}
 {% endblock %}

pflaenzli/pflaenzli/urls.py

@@ -1,10 +1,17 @@
 from django.conf import settings
 from django.conf.urls.static import static
 from django.contrib.auth import views as auth_views
-from django.urls import path, include
+from django.contrib.sitemaps.views import sitemap
+from django.urls import include, path
 from django.views.generic import TemplateView
 
 from . import views
+from .sitemaps import StaticViewSitemap
+
+sitemaps = {
+    'static': StaticViewSitemap,
+}
+
 
 urlpatterns = [
     path("", TemplateView.as_view(template_name='app/index.html'), name="index"),
@@ -13,7 +20,7 @@ urlpatterns = [
     path("offer/<int:offer_id>/", views.offer_detail, name="offer_detail"),
     path("offer/<int:offer_id>/delete/", views.offer_delete, name="offer_delete"),
     path("offer/<int:offer_id>/edit/", views.offer_edit, name="offer_edit"),
-    path("offer/<int:offer_id>/trade/", views.offer_trade, name="offer_trade"),
+    path("trade/", views.offer_trade, name="offer_trade"),
     path("accounts/<int:user_id>", views.user_detail, name="user_detail"),
     path("accounts/<int:user_id>/wishlist/", views.wishlist, name="wishlist"),
     path('accounts/login/', auth_views.LoginView.as_view(template_name='registration/login.html')),
@@ -33,4 +40,6 @@ urlpatterns = [
     path("imprint/", TemplateView.as_view(template_name='app/imprint.html'), name="imprint"),
     path("wish/delete/<str:wish_id>", views.delete_wish, name='delete_wish'),
     path("i18n/", include("django.conf.urls.i18n")),
+    path('sitemap.xml', sitemap, {'sitemaps': sitemaps},
+         name='django.contrib.sitemaps.views.sitemap'),
 ]

pflaenzli/pflaenzli/views.py

@@ -150,7 +150,8 @@ def delete_wish(request, wish_id):
 
 
 @login_required
-def offer_trade(request, offer_id):
+def offer_trade(request):
+    offer_id = int(request.POST['offer'])
     offer = get_object_or_404(Offer, id=offer_id)
     sender = request.user
     recipient = offer.user
@@ -182,7 +183,18 @@ def register_user(request):
     else:
         form = RegistrationForm()
 
-    return render(request, "basic_form.html", {"form": form, "button_label": _("Register"), "title": _("Registeration")})
+
+
+def error_404(request, exception):
+    return render(request, '404.html')
+
+
+def error_403(request, exception):
+    return render(request, '403.html')
+
+
+def error_500(request):
+    return render(request, '500.html')
 
 
 def filter_offers(offers, form):

pflaenzli/pflaenzli_django/settings.py

@@ -49,6 +49,7 @@ INSTALLED_APPS = [
     "crispy_forms",
     "crispy_bootstrap5",
     "friendly_captcha",
+    "django.contrib.sitemaps",
 ]
 
 MIDDLEWARE = [

pflaenzli/pflaenzli_django/urls.py

@@ -26,3 +26,7 @@ urlpatterns = [
 ]
 urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
 urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
+
+handler404 = 'pflaenzli.views.error_404'
+handler403 = 'pflaenzli.views.error_403'
+handler500 = 'pflaenzli.views.error_500'