From 889e130e6bfa98974611d3eee3c9073c3753bc9b Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Sun, 13 May 2018 18:37:57 +0100
Subject: Fix CSRF vulnerability on approve/reject links

Fixes #17
---
 app/templates/packages/editrequest_view.html | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'app/templates/packages/editrequest_view.html')

diff --git a/app/templates/packages/editrequest_view.html b/app/templates/packages/editrequest_view.html
index ce8f70e..95d4674 100644
--- a/app/templates/packages/editrequest_view.html
+++ b/app/templates/packages/editrequest_view.html
@@ -29,9 +29,14 @@
 		</div>
 	{% elif package.checkPerm(current_user, "APPROVE_CHANGES") %}
 		<div class="box box_grey">
-			To resolve this request, either
-			<a href="{{ request.getApproveURL() }}">Approve and Apply</a> or
-			<a href="{{ request.getRejectURL() }}">Reject</a> it.
+			<form method="post" action="{{ request.getApproveURL() }}">
+				<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+				<input type="submit" value="Approve and Apply" />
+			</form>
+			<form method="post" action="{{ request.getRejectURL() }}">
+				<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+				<input type="submit" value="Reject" />
+			</form>
 		</div>
 	{% endif %}
 
-- 
cgit v1.2.3