Fix CSRF vulnerability on approve/reject links

Fixes #17

2 files changed, 5 insertions, 4 deletions

diff --git a/app/views/packages.py b/app/views/packages.py
index a732d04..66cf354 100644
--- a/app/views/packages.py
+++ b/app/views/packages.py
@@ -172,7 +172,7 @@ def create_edit_package_page(author=None, name=None):
 
 	return render_template("packages/create_edit.html", package=package, form=form, author=author)
 
-@app.route("/packages/<author>/<name>/approve/")
+@app.route("/packages/<author>/<name>/approve/", methods=["POST"])
 @login_required
 @is_package_page
 def approve_package_page(package):
@@ -314,7 +314,7 @@ def view_editrequest_page(package, id):
 	return render_template("packages/editrequest_view.html", package=package, request=erequest)
 
 
-@app.route("/packages/<author>/<name>/requests/<id>/approve/")
+@app.route("/packages/<author>/<name>/requests/<id>/approve/", methods=["POST"])
 @is_package_page
 def approve_editrequest_page(package, id):
 	if not package.checkPerm(current_user, Permission.APPROVE_CHANGES):
@@ -339,7 +339,7 @@ def approve_editrequest_page(package, id):
 
 	return redirect(package.getDetailsURL())
 
-@app.route("/packages/<author>/<name>/requests/<id>/reject/")
+@app.route("/packages/<author>/<name>/requests/<id>/reject/", methods=["POST"])
 @is_package_page
 def reject_editrequest_page(package, id):
 	if not package.checkPerm(current_user, Permission.APPROVE_CHANGES):
diff --git a/app/views/tasks.py b/app/views/tasks.py
index c5a508a..9b27f61 100644
--- a/app/views/tasks.py
+++ b/app/views/tasks.py
@@ -1,7 +1,7 @@
 from flask import *
 from flask_user import *
 from flask.ext import menu
-from app import app
+from app import app, csrf
 from app.models import *
 from app.tasks import celery
 from app.tasks.importtasks import getMeta
@@ -10,6 +10,7 @@ from .utils import shouldReturnJson
 
 from .utils import *
 
+@csrf.exempt
 @app.route("/tasks/getmeta/new/", methods=["POST"])
 @login_required
 def new_getmeta_page():