From 616a02a79fa2bf4804adf5b73bf94c55343bc6df Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Mon, 16 Jun 2025 10:44:01 +0200 Subject: [PATCH] Make antispam-protected links also be javascript-triggered This makes a tiny javascript run to convert it into a POST and then receive that POST. The idea behind this is to remove the links from view of crawlers (hello AI bots!) that completely ignore robots.txt, causing lots of redirect chains on account of logins. We still allow GET requests on those endpoints, as there are external links pointing to them as well as people having scripts. But those are at least to fewer emails than all. --- django/archives/mailarchives/templates/_message.html | 6 +++--- django/archives/mailarchives/templates/message.html | 1 + django/archives/mailarchives/templates/message_flat.html | 1 + .../archives/mailarchives/templates/message_resend.html | 1 + django/archives/mailarchives/views.py | 3 +++ django/media/js/main.js | 8 ++++++++ 6 files changed, 17 insertions(+), 3 deletions(-) diff --git a/django/archives/mailarchives/templates/_message.html b/django/archives/mailarchives/templates/_message.html index c90a80a..b4f42af 100644 --- a/django/archives/mailarchives/templates/_message.html +++ b/django/archives/mailarchives/templates/_message.html @@ -30,10 +30,10 @@ Views: - Raw Message | Whole Thread | - Download mbox -{%if allow_resend %}| Resend email{%endif%} + Raw Message | + Download mbox +{%if allow_resend %} | Resend email{%endif%} {% if not show_all %} diff --git a/django/archives/mailarchives/templates/message.html b/django/archives/mailarchives/templates/message.html index 3de6998..b099a03 100644 --- a/django/archives/mailarchives/templates/message.html +++ b/django/archives/mailarchives/templates/message.html @@ -6,4 +6,5 @@

{{msg.subject}}

{%endif%} {% include '_message.html' with msg=msg lists=lists %} +
{%endblock%} diff --git a/django/archives/mailarchives/templates/message_flat.html b/django/archives/mailarchives/templates/message_flat.html index c0196af..ff4e105 100644 --- a/django/archives/mailarchives/templates/message_flat.html +++ b/django/archives/mailarchives/templates/message_flat.html @@ -23,4 +23,5 @@
{% endif %} {%endfor%} +
{%endblock%} diff --git a/django/archives/mailarchives/templates/message_resend.html b/django/archives/mailarchives/templates/message_resend.html index 0485726..f964032 100644 --- a/django/archives/mailarchives/templates/message_resend.html +++ b/django/archives/mailarchives/templates/message_resend.html @@ -17,4 +17,5 @@

Message to resend

{% include '_message.html' with msg=msg lists=lists show_all=True %} +
{%endblock%} diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py index 69172bd..1fc1a8a 100644 --- a/django/archives/mailarchives/views.py +++ b/django/archives/mailarchives/views.py @@ -547,6 +547,7 @@ def message_flat(request, msgid): return r +@csrf_exempt @nocache @antispam_auth def message_raw(request, msgid): @@ -606,6 +607,7 @@ def _build_mbox(query, params, msgid=None): return r +@csrf_exempt @nocache @antispam_auth def message_mbox(request, msgid): @@ -650,6 +652,7 @@ def mbox(request, listname, listname2, mboxyear, mboxmonth): @transaction.atomic +@csrf_exempt def resend(request, messageid): if not settings.ALLOW_RESEND: raise PermissionDenied("Access denied.") diff --git a/django/media/js/main.js b/django/media/js/main.js index 6e54b30..d25a86a 100644 --- a/django/media/js/main.js +++ b/django/media/js/main.js @@ -4,6 +4,14 @@ $(function(){ document.location.href = '/message-id/' + $(this).val(); }); + /* Callback for viewing protected versions */ + $('a.post-link').click(function(e) { + if ($(this).data('ref')) { + $('#mail_other_options_form').attr('action', $(this).data('ref')); + $('#mail_other_options_form').submit(); + } + }); + /* * For flat message view, redirect to the anchor of the messageid we're watching, -- 2.39.5