Protect trade with CSRF

pflaenzli/pflaenzli/templates/offer/detail.html

@@ -86,6 +86,10 @@
                 <div class="alert alert-warning" role="alert">{% trans "There are currently no wishes!" %}</div>
             {% endif %}
         </div>
-        <a class="btn btn-pfl mb-3" href="{% url 'offer_trade' offer.id %}">{% trans "Offer trade" %}</a>
+        <form method="post" action="{% url 'offer_trade' %}">
+            {% csrf_token %}
+            <input type="hidden" name="offer" value="{{ offer.id }}"/>
+            <button class="btn btn-pfl mb-3" data-umami-event="Trade offer">{% trans "Offer trade" %}</button>
+        </form>
     {% endif %}
 {% endblock %}

pflaenzli/pflaenzli/urls.py

@@ -20,7 +20,7 @@ urlpatterns = [
     path("offer/<int:offer_id>/", views.offer_detail, name="offer_detail"),
     path("offer/<int:offer_id>/delete/", views.offer_delete, name="offer_delete"),
     path("offer/<int:offer_id>/edit/", views.offer_edit, name="offer_edit"),
-    path("offer/<int:offer_id>/trade/", views.offer_trade, name="offer_trade"),
+    path("trade/", views.offer_trade, name="offer_trade"),
     path("accounts/<int:user_id>", views.user_detail, name="user_detail"),
     path("accounts/<int:user_id>/wishlist/", views.wishlist, name="wishlist"),
     path('accounts/login/', auth_views.LoginView.as_view(template_name='registration/login.html')),

pflaenzli/pflaenzli/views.py

@@ -150,7 +150,8 @@ def delete_wish(request, wish_id):
 
 
 @login_required
-def offer_trade(request, offer_id):
+def offer_trade(request):
+    offer_id = int(request.POST['offer'])
     offer = get_object_or_404(Offer, id=offer_id)
     sender = request.user
     recipient = offer.user