Fix CSRF vulnerability on approve/reject links

Fixes #17
This commit is contained in:
rubenwardy
2018-05-13 18:37:57 +01:00
parent 0dc02ed67f
commit 889e130e6b
5 changed files with 21 additions and 8 deletions

View File

@@ -29,9 +29,14 @@
</div>
{% elif package.checkPerm(current_user, "APPROVE_CHANGES") %}
<div class="box box_grey">
To resolve this request, either
<a href="{{ request.getApproveURL() }}">Approve and Apply</a> or
<a href="{{ request.getRejectURL() }}">Reject</a> it.
<form method="post" action="{{ request.getApproveURL() }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<input type="submit" value="Approve and Apply" />
</form>
<form method="post" action="{{ request.getRejectURL() }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
<input type="submit" value="Reject" />
</form>
</div>
{% endif %}