增加了所有接口的csrf验证。

hunter/models.py

@@ -49,7 +49,7 @@ class Publications(models.Model):
     isOpen = models.CharField(max_length=5, default='1')
     editDateTime = models.DateField(default=timezone.now)
 
-
+# *Pubs vs *Users
 class PubToUser(models.Model):
     pubID = models.BigIntegerField()
     username = models.CharField(max_length=50)

hunter/templates/admin.html

@@ -11,6 +11,7 @@
     <script src="{% static 'jquery.form.js' %}"></script>
 	<script type="text/javascript" src="{% static 'md/showdown.js' %}"></script>
     <script type="text/javascript" src="{% static 'md5.js' %}"></script>
+    <script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
 
 </head>
 <body>
@@ -234,7 +235,6 @@
                 data['password']= $('input')[1].value;
                 data['actiontype']='0'; //0 添加用户 1 删除用户
                 encryptSend('/operator/', data);  // Jsencrypt.do对应服务端处理地址
-                console.log("add user: username = " + username);
             });
             
         });

hunter/templates/editArticle.html

@@ -9,6 +9,7 @@
 	<link rel="stylesheet" type="text/css" href="{% static 'md/markdown.css' %}">
 	<script type="text/javascript" src="{% static 'md/showdown.js' %}"></script>
 	<script type="text/javascript" src="{% static 'bootstrap.min.js' %}"></script>
+    <script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
 </head>
 <body>
 <nav>

hunter/templates/index.html

@@ -339,15 +339,7 @@
         $('#former_member').css('left','-100%');
     }
 
-    /*
-    function logout(){
-        let storage = window.localStorage;
-        storage['username']="";
-        storage['password']="";    
-        $('#top_bar').empty();
-        $('#top_bar').append("<ul><li onclick='login()'>登录</li></ul>");
-    }
-    */
+    
     function click_bar(index){
             let a_list = document.getElementsByClassName("main_bar");
             $(a_list[pre_clicked]).removeClass('active');
@@ -376,6 +368,7 @@
                 data:{
                     "username": username,
                     "password": hex_md5(password),
+                    'csrfmiddlewaretoken': '{{ csrf_token }}'
                 },
                 success:function(response){
                     console.log(response);
@@ -392,7 +385,7 @@
                     }
                 },
                 error:function (xhr) {
-                    console.error('something went wrong...');
+                    console.error('login error...');
                     login_fail("something went wrong...");
                 }
             })
@@ -424,6 +417,7 @@
             dataType:'json',
             data:{
                 "user_id": user_id,
+                'csrfmiddlewaretoken': '{{ csrf_token }}'
             },
             success:function(response){
                 console.log(response);

hunter/templates/profile.html

@@ -6,6 +6,7 @@
     {% load static %}
     <script src="{% static 'jquery-1.9.1.min.js' %}"></script>
     <script type="text/javascript" src="{% static 'md5.js' %}"></script>
+    <script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
 </head>
 <style type="text/css">
     *{
@@ -173,7 +174,7 @@
         outline:none;
         overflow: hidden;
         background-size:contain;
-        background-image: url("/static/hunter/images/add.png");
+        background-image: url("/static/images/add.png");
     }
     .dele_edu{
         width:110px;
@@ -183,7 +184,7 @@
         width:20px;
         height:20px;
         border:none;
-        background-image: url("/static/hunter/images/delete.png");
+        background-image: url("/static/images/delete.png");
     }
 
 
@@ -384,7 +385,7 @@
                     }
                 },
                 error:function (xhr) {
-                    console.error('something went wrong...');
+                    console.error('Modify personal resume failed...');
                 }
             })
         }

hunter/templates/user.html

@@ -123,7 +123,7 @@
                 {% for cve in cve_list %}
                     <ul id="cveid{{ cve.identifier }}">
                         <li class="cve_big_text"><a href="{{ cve.url }}" target="_blank">{{ cve.identifier }}</a></li>
-                        <li class="li_right"><button class="dele_img" onclick="deleCVE({{ cve.identifier }})"></button></li>
+                        <li class="li_right"><button class="dele_img" onclick="deleCVE('{{ cve.identifier }}')"></button></li>
                         <li class="li_right"><button class="edit_img" onclick="create_cve_edit_html(this)"></button></li>
                         <li class="li_right">{{ cve.datetime }}</li>
                         <li class="li_right">{{ cve.bugType }}</li>
@@ -193,9 +193,10 @@
    </div>
 </footer>
 <script type="text/javascript" src="{% static 'bootstrap.min.js' %}"></script>
-    <script type="text/javascript" src="{% static 'bootstrap-datetimepicker.js' %}" charset="UTF-8"></script>
-    <script type="text/javascript" src="{% static 'bootstrap-datetimepicker.zh-CN.js' %}" charset="UTF-8"></script>
-    <script type="text/javascript">
+<script type="text/javascript" src="{% static 'bootstrap-datetimepicker.js' %}" charset="UTF-8"></script>
+<script type="text/javascript" src="{% static 'bootstrap-datetimepicker.zh-CN.js' %}" charset="UTF-8"></script>
+<script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
+<script type="text/javascript">
     $('.form_datetime').datetimepicker({
         //language:  'fr',
         weekStart: 1,
@@ -230,7 +231,6 @@
 </script>
 
 <script type="text/javascript">
-    
     function postAdminPage(){
         console.log("call function postAdminPage");
         $.post("../../ht/admin/", { username: "John", time: "2pm" } );  //Your values here..
@@ -491,7 +491,7 @@
         let date = $('#date_input').val();
         let software = $("input[name='software']").val();
         let url_cve = $("input[name='url_cve']").val();
-        if(url_cve.indexOf('http')===-1){
+        if(url_cve.indexOf('http') === -1){
             url_cve='http://'+url_cve;
         }
         let formatData = new FormData();
@@ -500,7 +500,8 @@
         formatData.append("bugType", bugtype);
         formatData.append("software", software);
         formatData.append("date", date);
-        formatData.append("url",url_cve);
+        formatData.append("url", url_cve);
+
 
         $.ajax({
             url:"{% url 'hunter:add_cve' %} ",

hunter/templates/write.html

@@ -9,6 +9,7 @@
 	<link rel="stylesheet" type="text/css" href="{% static 'md/markdown.css' %}">
 	<script type="text/javascript" src="{% static 'md/showdown.js' %}"></script>
 	<script type="text/javascript" src="{% static 'bootstrap.min.js' %}"></script>
+    <script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
 </head>
 <body>
 <nav>

hunter/views/view_api.py

@@ -17,7 +17,7 @@ from django.db.models.aggregates import Count
 from django.db.models import Count
 from django.views.decorators.csrf import ensure_csrf_cookie
 
-@csrf_exempt
+
 def login(request):
     username = request.POST['username']
     password = request.POST['password']
@@ -36,7 +36,7 @@ def login(request):
             response = JsonResponse({"message": "密码错误"})
     return response
 
-@csrf_exempt
+
 def logout(request):
     print('call logout')
     request.session['user_id'] = None
@@ -44,7 +44,7 @@ def logout(request):
     return response
 
 
-@csrf_exempt
+
 def profile_submit(request):
     userID=request.POST["userID"]
     name_hanzi=request.POST["name_hanzi"]
@@ -86,7 +86,7 @@ def profile_submit(request):
             return JsonResponse({"message":0,'error':e})
 
 
-@csrf_exempt
+
 def save_edit_art(request):
     userID = request.POST.get('userID', '')
     title = request.POST.get('title', '')
@@ -109,7 +109,7 @@ def save_edit_art(request):
     if int(is_have_file) > 0:
         myfile = request.FILES['myfile']
         BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
-        destination = os.path.join(BASE_DIR, 'hunter', 'static', 'articles', myfile.name)
+        destination = os.path.join(BASE_DIR, 'static', 'articles', myfile.name)
         if os.path.exists(destination):
             os.remove(destination)
             with open(destination, 'wb+') as dest:
@@ -161,7 +161,7 @@ def add_url_article(request):
         response = JsonResponse({"message": 0, 'error': '数据库错误'})
     return response
 
-@csrf_exempt
+
 def delete_publication(request):
     pub_id = request.POST['pub_id']
     print(pub_id)
@@ -175,7 +175,7 @@ def delete_publication(request):
     return response
 
 
-@csrf_exempt
+
 def delete_cve(request):
     cve_id = request.POST['cve_id']
     try:
@@ -187,7 +187,7 @@ def delete_cve(request):
         return response
 
 
-@csrf_exempt
+
 def delete_article(request):
     article_id = request.POST['article_id']
     try:
@@ -199,7 +199,7 @@ def delete_article(request):
         return response
 
 
-@csrf_exempt
+
 def change_pub_status(request):
     pubID = request.POST['pubID']
     isOpen = request.POST['isOpen']
@@ -210,7 +210,7 @@ def change_pub_status(request):
     except ObjectDoesNotExist as e:
         return JsonResponse({'message':0,'error':e})
 
-@csrf_exempt
+
 def add_publication(request):
     title = request.POST['title']
     print(title)
@@ -234,7 +234,7 @@ def add_publication(request):
     else:
         pubID = Publications.objects.last().pubID+1
         BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
-        destination = os.path.join(BASE_DIR,'hunter', 'static', 'publications', myfile.name)
+        destination = os.path.join(BASE_DIR, 'static', 'publications', myfile.name)
         if os.path.exists(destination):
             os.remove(destination)
         with open(destination,'wb+') as dest:
@@ -291,7 +291,7 @@ def add_publication(request):
     return response
 
 
-@csrf_exempt
+
 def edit_publication(request):
     pubID = request.POST['pubID']
     title = request.POST['title']
@@ -311,7 +311,7 @@ def edit_publication(request):
     if isHaveFile == '1':
         myfile = request.FILES['myfile']
         BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
-        destination = os.path.join(BASE_DIR,'hunter', 'static', 'publications', myfile.name)
+        destination = os.path.join(BASE_DIR, 'static', 'publications', myfile.name)
         if os.path.exists(destination):
             os.remove(destination)
         with open(destination,'wb+') as dest:
@@ -378,7 +378,7 @@ def edit_publication(request):
                         return JsonResponse({"message": 0})
     return response
 
-@csrf_exempt
+
 def add_cve(request):
     owner = request.POST['owner']
     bugType = request.POST['bugType']
@@ -398,7 +398,7 @@ def add_cve(request):
         return response
 
 
-@csrf_exempt
+
 def edit_cve(request):
     bugType = request.POST['bugType']
     identifier = request.POST['cve_id']
@@ -414,7 +414,7 @@ def edit_cve(request):
         response = JsonResponse({"message": 0})
         return response
 
-@csrf_exempt
+
 def update_article(request):
     art_id = request.POST['art_id']
     print('update_article, art_id = ', art_id)
@@ -428,6 +428,6 @@ def update_article(request):
 
     return JsonResponse({"message": "failed"})
 
-@csrf_exempt
+
 def add_article(request):
     return 0
\ No newline at end of file

hunter/views/view_page.py

@@ -137,9 +137,11 @@ def user_html(request, user_id):
     u = {'userID': user_id, 'name': username}
     my_publication_year_list = {}
     pub_ids = PubToUser.objects.filter(userID=user_id).all().values('pubID')
+    print("user_html publications: ")
     for pub_id in pub_ids:
-        print(pub_id)
+        #print(pub_id, )
         pub = get_object_or_404(Publications, pk=pub_id['pubID'])
+        print(pub.pubID, pub.title)
         year = str(pub.date)[0:4]
         pub.date = str(pub.date)[5:10]
         pub.link = pub.link.split('/')[-1]
@@ -155,6 +157,7 @@ def user_html(request, user_id):
 
     print(publication_year_list)
     print(my_publication_year_list)
+
     my_article_list = Articles.objects.filter(authorID=user_id).order_by('-editDateTime')
     my_article_year_list = {}
     for art in my_article_list:
@@ -323,9 +326,6 @@ def profile_edit(request, user_id):
 
 
 
-
-
-
 def check_admin_privilage(user_id):
     try:
         user_id = int(user_id)
@@ -386,7 +386,6 @@ def user_score_records(request):
         records = ScoreRecords.objects.filter(userID = user_id);
         return render(request,"user_score.html", locals())
 
-@csrf_exempt
 def operator(request):
     message = {}
     print("cal api operator.")