Reverts to changeset 435, and just add {% csrf_token %} to template forgot_pw.html, since CSRF protection seems to be only here (surely because of django.contrib.auth.views).
{% extends "site/layout/base_workspace.html" %}
{% load i18n %}
{% block title %}{% blocktrans %}Create a text{% endblocktrans %}{% endblock %}
{% block main %}
{% include "site/macros/text_editor.html" %}
<script type="text/javascript">
<!--
tb_conf['current_tab'] = 'text';
-->
</script>
<script type="text/javascript">
<!--
$(function() {
$(".hidden-text-actions").css('visibility','hidden');
}) ;
-->
</script>
<div id="text" class="tab-meta">
<ul class="sub_list">
<li><a href="{% url text %}">{% blocktrans %}Text list{% endblocktrans %}</a></li>
<li> / </li>
<li class="active_sub">{% blocktrans %}Create a text{% endblocktrans %}</li>
<li> / </li>
<li><a href="{% url text-create-upload %}">{% blocktrans %}Upload a text{% endblocktrans %}</a></li>
</ul>
{% autoescape off %} {{ document }} {% endautoescape %}
<form id="text_create_content" enctype="multipart/form-data" class="wizard-form" action="." method="post">
<table class="wide_form">
<tbody>
{% with 'create_content' as form_type %}
{% include "site/macros/form_fields.html" %}
{% endwith %}
<tr>
<td style="vertical-align: top; width: 20%; text-align:right;">
</td>
<td>
<label></label>
<input id="save_button" name="save" type="submit" value="{% blocktrans %}Save{% endblocktrans %}"/>
<input id="cancel_button" type="button" value="{% blocktrans %}Cancel{% endblocktrans %}"/>
<script type="text/javascript">
<!--
$(document).ready(function(){
$("#cancel_button").click(function () {
needToConfirm = false ;
window.location = "{% url index %}";
});
$("#save_button").click(function () {
needToConfirm = false ;
});
}) ;
-->
</script>
</td>
</tr>
</tbody>
</table>
</form>
{% endblock %}