There seem to be many pinax apps that work with ajax using a specific urlpattern for that pinax app.
For example there is the ratings app. It uses ajax.
Normally you'd ajax to the page the product is on. You'd need to get CSRF token from there. So, the user or a bot would actually need to visit the page to rate the product.
So all the security mixins would work.
However pinax uses a url like site.com/ratings
. Where does this ratings form get the CSRF from? If it can only get it from the product page it is secure, cos we can apply security measures on the page.
How ever if the CSRF is got from the sites.com/ratings
a bot could easily bypass all the security mixins on the product page and directly mass upvote or downvote or rate the products.
Does it get the CSRF from site.com/ratings
or the product or view page in which the widget is embedded.
Same goes for likes and similar apps.
TL;DR:
1) Can someone create a bot to mass rate or vote pinax apps like ratings that works without even visiting the product or post or model view and just by visiting the pinax apps URL thus bypassing all security measures placed as a mixin to the product page?
2) Are any security measures takes in the template tag
so that the ratings ajax works only in the page in which the template tag
is embedded?
Ideally, the site developer is using middleware to protect all their views.
For example, all our starter projects ship with the CsrfViewMiddleware
turned on:
https://github.com/pinax/pinax-starter-projects/blob/account/project_name/settings.py#L111
So that takes you to needing to pass along the CSRF token with your ajax request in order for the post
handler of the views in Pinax ajax views to work. To do this, you should include something like:
https://github.com/pinax/pinax-starter-projects/blob/account/static/src/js/ajax.js
and
https://github.com/pinax/pinax-starter-projects/blob/account/static/src/js/index.js#L14
In your JS pipeline. This is based on the Django Documentation.