10 лет назад · 1c0d9883eb
--- a/flaskbb/app.py
+++ b/flaskbb/app.py
@@ -32,7 +32,7 @@ from flaskbb.forum.views import forum
 
				 from flaskbb.forum.models import Post, Topic, Category, Forum
			
 
				 # extensions
			
 
				 from flaskbb.extensions import db, login_manager, mail, cache, redis_store, \
			
 
				-    debugtoolbar, migrate, themes, plugin_manager, babel
			
 
				+    debugtoolbar, migrate, themes, plugin_manager, babel, csrf
			
 
				 # various helpers
			
 
				 from flaskbb.utils.helpers import format_date, time_since, crop_title, \
			
 
				     is_online, render_markup, mark_online, forum_is_unread, topic_is_unread, \
			
@@ -82,6 +82,9 @@ def configure_blueprints(app):
 
				 def configure_extensions(app):
			
 
				     """Configures the extensions."""
			
 
				 
			
 
				+    # Flask-WTF CSRF
			
 
				+    csrf.init_app(app)
			
 
				+
			
 
				     # Flask-Plugins
			
 
				     plugin_manager.init_app(app)
			
 
				 
			
--- a/flaskbb/extensions.py
+++ b/flaskbb/extensions.py
@@ -18,6 +18,7 @@ from flask_migrate import Migrate
 
				 from flask_themes2 import Themes
			
 
				 from flask_plugins import PluginManager
			
 
				 from flask_babelex import Babel
			
 
				+from flask_wtf.csrf import CsrfProtect
			
 
				 
			
 
				 
			
 
				 # Database
			
@@ -49,3 +50,6 @@ plugin_manager = PluginManager()
 
				 
			
 
				 # Babel
			
 
				 babel = Babel()
			
 
				+
			
 
				+# CSRF
			
 
				+csrf = CsrfProtect()
			
--- a/flaskbb/forum/views.py
+++ b/flaskbb/forum/views.py
@@ -178,8 +178,8 @@ def new_topic(forum_id, slug=None):
 
				     )
			
 
				 
			
 
				 
			
 
				-@forum.route("/topic/<int:topic_id>/delete")
			
 
				-@forum.route("/topic/<int:topic_id>-<slug>/delete")
			
 
				+@forum.route("/topic/<int:topic_id>/delete", methods=["POST"])
			
 
				+@forum.route("/topic/<int:topic_id>-<slug>/delete", methods=["POST"])
			
 
				 @login_required
			
 
				 def delete_topic(topic_id, slug=None):
			
 
				     topic = Topic.query.filter_by(id=topic_id).first_or_404()
			
@@ -397,9 +397,9 @@ def edit_post(post_id):
 
				     return render_template("forum/new_post.html", topic=post.topic, form=form)
			
 
				 
			
 
				 
			
 
				-@forum.route("/post/<int:post_id>/delete")
			
 
				+@forum.route("/post/<int:post_id>/delete", methods=["POST"])
			
 
				 @login_required
			
 
				-def delete_post(post_id, slug=None):
			
 
				+def delete_post(post_id):
			
 
				     post = Post.query.filter_by(id=post_id).first_or_404()
			
 
				 
			
 
				     # TODO: Bulk delete
			
--- a/flaskbb/static/css/flaskbb.css
+++ b/flaskbb/static/css/flaskbb.css
@@ -188,3 +188,12 @@ margin-bottom: 0px;
 
				   border-top-right-radius: 0;
			
 
				 }
			
 
				 /* End sidebar */
			
 
				+
			
 
				+.inline-form {
			
 
				+  display: inline;
			
 
				+  padding: 0px;
			
 
				+}
			
 
				+
			
 
				+.inline-form .btn-link {
			
 
				+  padding: 0px;
			
 
				+}
			
--- a/flaskbb/templates/forum/topic.html
+++ b/flaskbb/templates/forum/topic.html
@@ -121,11 +121,17 @@
 
				                     {% endif %}
			
 
				                     {% if topic.first_post_id == post.id %}
			
 
				                         {% if current_user|delete_topic(topic) %}
			
 
				-                        <a href="{{ url_for('forum.delete_topic', topic_id=topic.id, slug=topic.slug) }}">{% trans %}Delete{% endtrans %}</a> |
			
 
				+                        <form class="inline-form" method="post" action="{{ url_for('forum.delete_topic', topic_id=topic.id, slug=topic.slug) }}">
			
 
				+                            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
			
 
				+                            <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button> |
			
 
				+                        </form>
			
 
				                         {% endif %}
			
 
				                     {% else %}
			
 
				                         {% if current_user|delete_post(post) %}
			
 
				-                        <a href="{{ url_for('forum.delete_post', post_id=post.id) }}">{% trans %}Delete{% endtrans %}</a> |
			
 
				+                        <form class="inline-form" method="post" action="{{ url_for('forum.delete_post', post_id=post.id) }}">
			
 
				+                            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
			
 
				+                            <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button> |
			
 
				+                        </form>
			
 
				                         {% endif %}
			
 
				                     {% endif %}
			
 
				                     {% if current_user|post_reply(topic) %}
			
--- a/flaskbb/themes/bootstrap2/static/css/flaskbb.css
+++ b/flaskbb/themes/bootstrap2/static/css/flaskbb.css
@@ -221,4 +221,14 @@ margin-bottom: 0px;
 
				 /* Reply/Topic previews */
			
 
				 .preview-body {
			
 
				     height: auto;
			
 
				-}
			
 
				+}
			
 
				+
			
 
				+
			
 
				+.inline-form {
			
 
				+  display: inline;
			
 
				+  padding: 0px;
			
 
				+}
			
 
				+
			
 
				+.inline-form .btn-link {
			
 
				+  padding: 0px;
			
 
				+}
			
--- a/flaskbb/themes/bootstrap3/static/css/flaskbb.css
+++ b/flaskbb/themes/bootstrap3/static/css/flaskbb.css
@@ -225,4 +225,13 @@ margin-bottom: 0px;
 
				 /* Reply/Topic previews */
			
 
				 .preview-body {
			
 
				     height: auto;
			
 
				-}
			
 
				+}
			
 
				+
			
 
				+.inline-form {
			
 
				+  display: inline;
			
 
				+  padding: 0px;
			
 
				+}
			
 
				+
			
 
				+.inline-form .btn-link {
			
 
				+  padding: 0px;
			
 
				+}