From c39872e5ea5e633913ea1f1524b821a7a7bc4863 Mon Sep 17 00:00:00 2001 From: Jannis Portmann Date: Thu, 18 May 2023 14:24:47 +0200 Subject: [PATCH] Protect trade with CSRF --- pflaenzli/pflaenzli/templates/offer/detail.html | 6 +++++- pflaenzli/pflaenzli/urls.py | 2 +- pflaenzli/pflaenzli/views.py | 3 ++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/pflaenzli/pflaenzli/templates/offer/detail.html b/pflaenzli/pflaenzli/templates/offer/detail.html index f027115..a4d1d51 100644 --- a/pflaenzli/pflaenzli/templates/offer/detail.html +++ b/pflaenzli/pflaenzli/templates/offer/detail.html @@ -86,6 +86,10 @@ {% endif %} - {% trans "Offer trade" %} +
+ {% csrf_token %} + + +
{% endif %} {% endblock %} diff --git a/pflaenzli/pflaenzli/urls.py b/pflaenzli/pflaenzli/urls.py index e7109d9..ce5e57b 100644 --- a/pflaenzli/pflaenzli/urls.py +++ b/pflaenzli/pflaenzli/urls.py @@ -20,7 +20,7 @@ urlpatterns = [ path("offer//", views.offer_detail, name="offer_detail"), path("offer//delete/", views.offer_delete, name="offer_delete"), path("offer//edit/", views.offer_edit, name="offer_edit"), - path("offer//trade/", views.offer_trade, name="offer_trade"), + path("trade/", views.offer_trade, name="offer_trade"), path("accounts/", views.user_detail, name="user_detail"), path("accounts//wishlist/", views.wishlist, name="wishlist"), path('accounts/login/', auth_views.LoginView.as_view(template_name='registration/login.html')), diff --git a/pflaenzli/pflaenzli/views.py b/pflaenzli/pflaenzli/views.py index d7f9c63..3c4551c 100644 --- a/pflaenzli/pflaenzli/views.py +++ b/pflaenzli/pflaenzli/views.py @@ -150,7 +150,8 @@ def delete_wish(request, wish_id): @login_required -def offer_trade(request, offer_id): +def offer_trade(request): + offer_id = int(request.POST['offer']) offer = get_object_or_404(Offer, id=offer_id) sender = request.user recipient = offer.user