Fix CSRF issues
GET routes are not protected against CSRF. This commit changes the needed URLs to POST and replace simple links with forms. Thanks @fdb-hiroshima for noticing it!
This commit is contained in:
@@ -18,13 +18,13 @@
|
||||
<small>{{ instance.public_domain }}</small>
|
||||
</p>
|
||||
{% if not instance.local %}
|
||||
<a href="/admin/instances/{{ instance.id }}/block">
|
||||
<form class="inline" method="post" action="/admin/instances/{{ instance.id }}/block">
|
||||
{% if instance.blocked %}
|
||||
{{ "Unblock" | _ }}
|
||||
<input type="submit" value="{{ 'Unblock' | _ }}">
|
||||
{% else %}
|
||||
{{ "Block" | _ }}
|
||||
<input type="submit" value="{{ 'Block' | _ }}">
|
||||
{% endif %}
|
||||
</a>
|
||||
</form>
|
||||
{% endif %}
|
||||
</div>
|
||||
{% endfor %}
|
||||
|
||||
@@ -19,9 +19,9 @@
|
||||
<small>@{{ user.username }}</small>
|
||||
</p>
|
||||
{% if not user.is_admin %}
|
||||
<a href="/admin/users/{{ user.id }}/ban">
|
||||
{{ "Ban" | _ }}
|
||||
</a>
|
||||
<form class="inline" method="post" href="/admin/users/{{ user.id }}/ban">
|
||||
<input type="submit" value="{{ 'Ban' | _ }}">
|
||||
</form>
|
||||
{% endif %}
|
||||
</div>
|
||||
{% endfor %}
|
||||
|
||||
Reference in New Issue
Block a user