From cf321d2e27fbac96a087fd6b20cc8bfc65041774 Mon Sep 17 00:00:00 2001
From: Rollin Thomas <rcthomas@lbl.gov>
Date: Mon, 3 Jun 2024 23:14:29 -0700
Subject: [PATCH] Add XSRF to form

---
 jupyterhub_announcement/announcement.py | 1 +
 jupyterhub_announcement/handlers.py     | 1 +
 templates/index.html                    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/jupyterhub_announcement/announcement.py b/jupyterhub_announcement/announcement.py
index 12d3010..add135b 100644
--- a/jupyterhub_announcement/announcement.py
+++ b/jupyterhub_announcement/announcement.py
@@ -149,6 +149,7 @@ def initialize(self, argv=None):
             "static_path": os.path.join(self.data_files_path, "static"),
             "static_url_prefix": url_path_join(self.service_prefix, "static/"),
             "log": self.log,
+            "xsrf_cookies": True,
         }
 
         self.app = web.Application(
diff --git a/jupyterhub_announcement/handlers.py b/jupyterhub_announcement/handlers.py
index 79a2b62..d1834cf 100644
--- a/jupyterhub_announcement/handlers.py
+++ b/jupyterhub_announcement/handlers.py
@@ -46,6 +46,7 @@ def get(self):
                 base_url=prefix,
                 no_spawner_check=True,
                 parsed_scopes=user.get("hub_scopes") or [],
+                xsrf_form_html=self.xsrf_form_html,
             )
         )
 
diff --git a/templates/index.html b/templates/index.html
index 9799103..d23319c 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -15,6 +15,7 @@
   {% if user.admin %}
   <div class="row">
     <form action="/services/announcement/update" method="post" class="col-md-offset-3 col-md-6">
+      {{ xsrf_form_html() | safe }}
       <div class="form-group">
         <label for="announcement">Announcement</label>
         <textarea class="form-control" id="announcement" name="announcement" rows="2" placeholder="Announcement text..."></textarea>