Fix CSRF vulnerability on approve/reject links

Fixes #17
author: rubenwardy <rw@rubenwardy.com> 2018-05-13 18:37:57 +0100
committer: rubenwardy <rw@rubenwardy.com> 2018-05-13 18:38:01 +0100
commit: 889e130e6bfa98974611d3eee3c9073c3753bc9b (patch)
tree: 8823f5898d95441ca07cf18f65e8642e7c3073fe /app/templates/packages/view.html
parent: 0dc02ed67fff593b6d85fba916d79089aebf5b93 (diff)
download: cheatdb-889e130e6bfa98974611d3eee3c9073c3753bc9b.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/app/templates/packages/view.html b/app/templates/packages/view.html
index ecd6b35..47d74ea 100644
--- a/app/templates/packages/view.html
+++ b/app/templates/packages/view.html
@@ -10,7 +10,10 @@
 			<span class="icon_message"></span>
 			This package needs to be approved before it can be found.
 			{% if package.checkPerm(current_user, "APPROVE_NEW") %}
-				<a href="{{ package.getApproveURL() }}">Approve</a>
+				<form method="post" action="{{ package.getApproveURL() }}">
+					<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+					<input type="submit" value="Approve" />
+				</form>
 			{% endif %}
 			<div style="clear: both;"></div>
 		</div>
author	rubenwardy <rw@rubenwardy.com>	2018-05-13 18:37:57 +0100
committer	rubenwardy <rw@rubenwardy.com>	2018-05-13 18:38:01 +0100
commit	889e130e6bfa98974611d3eee3c9073c3753bc9b (patch)
tree	8823f5898d95441ca07cf18f65e8642e7c3073fe /app/templates/packages/view.html
parent	0dc02ed67fff593b6d85fba916d79089aebf5b93 (diff)
download	cheatdb-889e130e6bfa98974611d3eee3c9073c3753bc9b.tar.xz