Standard forms across on Allura have a
_session_id field inserted by JS. AJAX forms insert it themselves. This is for CSRF protection.
For the standard forms, we can make them work without JS by inserting the field server-side instead of client-side. The
ForgeForm class seems like a useful place to do this. Other manually-constructed forms (e.g. I know ForgeImporter templates have some, others are around too probably) will need it in the jinja template. A one-line macro seems like a good way to handle that.
AJAX forms can stay as-is, they use JS already anyway.
Log in to post a comment.