Fix CSRF vulnerability on approve/reject links

Fixes #17
author: rubenwardy <rw@rubenwardy.com> 2018-05-13 18:37:57 +0100
committer: rubenwardy <rw@rubenwardy.com> 2018-05-13 18:38:01 +0100
commit: 889e130e6bfa98974611d3eee3c9073c3753bc9b (patch)
tree: 8823f5898d95441ca07cf18f65e8642e7c3073fe /app/templates/packages/editrequest_view.html
parent: 0dc02ed67fff593b6d85fba916d79089aebf5b93 (diff)
download: cheatdb-889e130e6bfa98974611d3eee3c9073c3753bc9b.tar.xz
1 files changed, 8 insertions, 3 deletions
diff --git a/app/templates/packages/editrequest_view.html b/app/templates/packages/editrequest_view.html
index ce8f70e..95d4674 100644
--- a/app/templates/packages/editrequest_view.html
+++ b/app/templates/packages/editrequest_view.html
@@ -29,9 +29,14 @@
 		</div>
 	{% elif package.checkPerm(current_user, "APPROVE_CHANGES") %}
 		<div class="box box_grey">
-			To resolve this request, either
-			<a href="{{ request.getApproveURL() }}">Approve and Apply</a> or
-			<a href="{{ request.getRejectURL() }}">Reject</a> it.
+			<form method="post" action="{{ request.getApproveURL() }}">
+				<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+				<input type="submit" value="Approve and Apply" />
+			</form>
+			<form method="post" action="{{ request.getRejectURL() }}">
+				<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+				<input type="submit" value="Reject" />
+			</form>
 		</div>
 	{% endif %}
author	rubenwardy <rw@rubenwardy.com>	2018-05-13 18:37:57 +0100
committer	rubenwardy <rw@rubenwardy.com>	2018-05-13 18:38:01 +0100
commit	889e130e6bfa98974611d3eee3c9073c3753bc9b (patch)
tree	8823f5898d95441ca07cf18f65e8642e7c3073fe /app/templates/packages/editrequest_view.html
parent	0dc02ed67fff593b6d85fba916d79089aebf5b93 (diff)
download	cheatdb-889e130e6bfa98974611d3eee3c9073c3753bc9b.tar.xz