Fix CSRF issues

GET routes are not protected against CSRF. This commit changes the needed URLs to
POST and replace simple links with forms.

Thanks @fdb-hiroshima for noticing it!
This commit is contained in:
Bat
2018-09-19 18:13:07 +01:00
parent eb24ba1774
commit d8ca1d70b7
12 changed files with 76 additions and 32 deletions
+4 -4
View File
@@ -18,13 +18,13 @@
<small>{{ instance.public_domain }}</small>
</p>
{% if not instance.local %}
<a href="/admin/instances/{{ instance.id }}/block">
<form class="inline" method="post" action="/admin/instances/{{ instance.id }}/block">
{% if instance.blocked %}
{{ "Unblock" | _ }}
<input type="submit" value="{{ 'Unblock' | _ }}">
{% else %}
{{ "Block" | _ }}
<input type="submit" value="{{ 'Block' | _ }}">
{% endif %}
</a>
</form>
{% endif %}
</div>
{% endfor %}
+3 -3
View File
@@ -19,9 +19,9 @@
<small>@{{ user.username }}</small>
</p>
{% if not user.is_admin %}
<a href="/admin/users/{{ user.id }}/ban">
{{ "Ban" | _ }}
</a>
<form class="inline" method="post" href="/admin/users/{{ user.id }}/ban">
<input type="submit" value="{{ 'Ban' | _ }}">
</form>
{% endif %}
</div>
{% endfor %}