This should be the last bunch of CSRF fixes. #92

flaskbb/management/views.py

@@ -148,7 +148,7 @@ def edit_user(user_id):
                            title=_("Edit User"))
 
 
-@management.route("/users/<int:user_id>/delete")
+@management.route("/users/<int:user_id>/delete", methods=["POST"])
 @admin_required
 def delete_user(user_id):
     user = User.query.filter_by(id=user_id).first_or_404()
@@ -170,7 +170,7 @@ def add_user():
                            title=_("Add User"))
 
 
-@management.route("/users/banned")
+@management.route("/users/banned", methods=["GET", "POST"])
 @moderator_required
 def banned_users():
     page = request.args.get("page", 1, type=int)
@@ -192,7 +192,7 @@ def banned_users():
                            search_form=search_form)
 
 
-@management.route("/users/<int:user_id>/ban", methods=["GET", "POST"])
+@management.route("/users/<int:user_id>/ban", methods=["POST"])
 @moderator_required
 def ban_user(user_id):
     if not can_ban_user(current_user):
@@ -217,7 +217,7 @@ def ban_user(user_id):
     return redirect(url_for("management.banned_users"))
 
 
-@management.route("/users/<int:user_id>/unban", methods=["GET", "POST"])
+@management.route("/users/<int:user_id>/unban", methods=["POST"])
 @moderator_required
 def unban_user(user_id):
     if not can_ban_user(current_user):
@@ -259,8 +259,8 @@ def unread_reports():
     return render_template("management/unread_reports.html", reports=reports)
 
 
-@management.route("/reports/<int:report_id>/markread")
-@management.route("/reports/markread")
+@management.route("/reports/<int:report_id>/markread", methods=["POST"])
+@management.route("/reports/markread", methods=["POST"])
 @moderator_required
 def report_markread(report_id=None):
     # mark single report as read
@@ -327,7 +327,7 @@ def edit_group(group_id):
                            title=_("Edit Group"))
 
 
-@management.route("/groups/<int:group_id>/delete")
+@management.route("/groups/<int:group_id>/delete", methods=["POST"])
 @admin_required
 def delete_group(group_id):
     group = Group.query.filter_by(id=group_id).first_or_404()
@@ -381,7 +381,7 @@ def edit_forum(forum_id):
                            title=_("Edit Forum"))
 
 
-@management.route("/forums/<int:forum_id>/delete")
+@management.route("/forums/<int:forum_id>/delete", methods=["POST"])
 @admin_required
 def delete_forum(forum_id):
     forum = Forum.query.filter_by(id=forum_id).first_or_404()
@@ -444,7 +444,7 @@ def edit_category(category_id):
                            title=_("Edit Category"))
 
 
-@management.route("/category/<int:category_id>/delete", methods=["GET", "POST"])
+@management.route("/category/<int:category_id>/delete", methods=["POST"])
 @admin_required
 def delete_category(category_id):
     category = Category.query.filter_by(id=category_id).first_or_404()
@@ -466,7 +466,7 @@ def plugins():
     return render_template("management/plugins.html", plugins=plugins)
 
 
-@management.route("/plugins/enable/<plugin>")
+@management.route("/plugins/<path:plugin>/enable", methods=["POST"])
 @admin_required
 def enable_plugin(plugin):
     plugin = get_plugin_from_all(plugin)
@@ -491,7 +491,7 @@ def enable_plugin(plugin):
     return redirect(url_for("management.plugins"))
 
 
-@management.route("/plugins/disable/<plugin>")
+@management.route("/plugins/<path:plugin>/disable", methods=["POST"])
 @admin_required
 def disable_plugin(plugin):
     try:
@@ -518,7 +518,7 @@ def disable_plugin(plugin):
     return redirect(url_for("management.plugins"))
 
 
-@management.route("/plugins/uninstall/<plugin>")
+@management.route("/plugins/<path:plugin>/uninstall", methods=["POST"])
 @admin_required
 def uninstall_plugin(plugin):
     plugin = get_plugin_from_all(plugin)
@@ -533,7 +533,7 @@ def uninstall_plugin(plugin):
     return redirect(url_for("management.plugins"))
 
 
-@management.route("/plugins/install/<plugin>")
+@management.route("/plugins/<path:plugin>/install", methods=["POST"])
 @admin_required
 def install_plugin(plugin):
     plugin = get_plugin_from_all(plugin)

flaskbb/templates/management/banned_users.html

@@ -55,7 +55,10 @@
                     <td>{{ user.primary_group.name }}</td>
                     <td>
                         {% if current_user|can_ban_user and user.permissions['banned'] %}
-                            <a href="{{ url_for('management.unban_user', user_id = user.id) }}">{% trans %}Unban{% endtrans %}</a>
+                        <form class="inline-form" method="post" action="{{ url_for('management.unban_user', user_id = user.id) }}">
+                            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                            <button class="btn btn-link">{% trans %}Unban{% endtrans %}</button>
+                        </form>
                         {% endif %}
                     </td>
                 </tr>

flaskbb/templates/management/forums.html

@@ -26,7 +26,10 @@
                 <td valign="top" align="center" style="white-space: nowrap">
                     <a href="{{ url_for('management.add_forum', category_id=category.id) }}">{% trans %}Add Forum{% endtrans %}</a> |
                     <a href="{{ url_for('management.edit_category', category_id = category.id) }}">{% trans %}Edit{% endtrans %}</a> |
-                    <a href="{{ url_for('management.delete_category', category_id = category.id) }}">{% trans %}Delete{% endtrans %}</a>
+                    <form class="inline-form" method="post" action="{{ url_for('management.delete_category', category_id=category.id) }}">
+                        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button>
+                    </form>
                 </td>
             </tr>
         </thead>
@@ -54,7 +57,10 @@
 
                 <td valign="top" align="center" style="white-space: nowrap">
                     <a href="{{ url_for('management.edit_forum', forum_id = forum.id) }}">{% trans %}Edit{% endtrans %}</a> |
-                    <a href="{{ url_for('management.delete_forum', forum_id = forum.id) }}">{% trans %}Delete{% endtrans %}</a>
+                    <form class="inline-form" method="post" action="{{ url_for('management.delete_forum', forum_id=forum.id) }}">
+                        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button>
+                    </form>
                 </td>
             </tr>
             {% endfor %}

flaskbb/templates/management/groups.html

@@ -35,7 +35,10 @@
                 <td>{{ group.description }}</td>
                 <td>
                     <a href="{{ url_for('management.edit_group', group_id = group.id) }}">{% trans %}Edit{% endtrans %}</a> |
-                    <a href="{{ url_for('management.delete_group', group_id = group.id) }}">{% trans %}Delete{% endtrans %}</a>
+                    <form class="inline-form" method="post" action="{{ url_for('management.delete_group', group_id=group.id) }}">
+                        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button>
+                    </form>
                 </td>
             </tr>
             {% endfor %}

flaskbb/templates/management/plugins.html

@@ -31,18 +31,30 @@
             </td>
             <td>
                 {% if not plugin.enabled %}
-                <a href="{{ url_for('management.enable_plugin', plugin=plugin.identifier) }}">{% trans %}Enable{% endtrans %}</a>
+                <form class="inline-form" method="post" action="{{ url_for('management.enable_plugin', plugin=plugin.identifier) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Enable{% endtrans %}</button>
+                </form>
                 {% else %}
-                <a href="{{ url_for('management.disable_plugin', plugin=plugin.identifier) }}">{% trans %}Disable{% endtrans %}</a>
+                <form class="inline-form" method="post" action="{{ url_for('management.disable_plugin', plugin=plugin.identifier) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Disable{% endtrans %}</button>
+                </form>
                 {% endif %}
 
                 {% set uninstallable = plugin.uninstallable %}
                 {% if plugin.installable and not uninstallable %}
                 <br />
-                <a href="{{ url_for('management.install_plugin', plugin=plugin.identifier) }}">{% trans %}Install{% endtrans %}</a>
+                <form class="inline-form" method="post" action="{{ url_for('management.install_plugin', plugin=plugin.identifier) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Install{% endtrans %}</button>
+                </form>
                 {% endif %}
                 {% if uninstallable %}
-                <a href="{{ url_for('management.uninstall_plugin', plugin=plugin.identifier) }}">{% trans %}Uninstall{% endtrans %}</a>
+                <form class="inline-form" method="post" action="{{ url_for('management.uninstall_plugin', plugin=plugin.identifier) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Uninstall{% endtrans %}</button>
+                </form>
                 {% endif %}
             </td>
         </tr>

flaskbb/templates/management/unread_reports.html

@@ -28,7 +28,12 @@
                 <th>{% trans %}Reporter{% endtrans %}</th>
                 <th>{% trans %}Reason{% endtrans %}</th>
                 <th>{% trans %}Reported{% endtrans %}</th>
-                <th><a href="{{ url_for('management.report_markread') }}">{% trans %}Mark all as Read{% endtrans %}</a></th>
+                <th>
+                    <form class="inline-form" method="post" action="{{ url_for('management.report_markread') }}">
+                        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <button class="btn btn-link">{% trans %}Mark all as Read{% endtrans %}</button>
+                    </form>
+                </th>
             </tr>
         </thead>
         <tbody>
@@ -41,7 +46,10 @@
                 <td>{{ report.reason }}</td>
                 <td>{{ report.reported|time_since }}</td>
                 <td>
-                    <a href="{{ url_for('management.report_markread', report_id=report.id) }}">{% trans %}Mark as Read{% endtrans %}</a>
+                    <form class="inline-form" method="post" action="{{ url_for('management.report_markread', report_id=report.id) }}">
+                        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                        <button class="btn btn-link">{% trans %}Mark as Read{% endtrans %}</button>
+                    </form>
                 </td>
             </tr>
             {% else %}

flaskbb/templates/management/users.html

@@ -55,19 +55,28 @@
                     <td>{{ user.primary_group.name }}</td>
                     <td>
                         {% if current_user|can_edit_user and not user|is_admin or current_user|is_admin %}
-                            <a href="{{ url_for('management.edit_user', user_id = user.id) }}">{% trans %}Edit{% endtrans %}</a>
+                            <a href="{{ url_for('management.edit_user', user_id = user.id) }}">{% trans %}Edit{% endtrans %}</a> |
                         {% endif %}
 
                         {% if current_user|can_ban_user and not user.permissions['banned'] %}
-                            | <a href="{{ url_for('management.ban_user', user_id = user.id) }}">{% trans %}Ban{% endtrans %}</a>
+                            <form class="inline-form" method="post" action="{{ url_for('management.ban_user', user_id = user.id) }}">
+                                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                                <button class="btn btn-link">{% trans %}Ban{% endtrans %}</button> |
+                            </form>
                         {% endif %}
 
                         {% if current_user|can_ban_user and user.permissions['banned'] %}
-                            | <a href="{{ url_for('management.unban_user', user_id = user.id) }}">{% trans %}Unban{% endtrans %}</a>
+                            <form class="inline-form" method="post" action="{{ url_for('management.unban_user', user_id = user.id) }}">
+                                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                                <button class="btn btn-link">{% trans %}Unban{% endtrans %}</button> |
+                            </form>
                         {% endif %}
 
                         {% if current_user|is_admin %}
-                            | <a href="{{ url_for('management.delete_user', user_id = user.id) }}">{% trans %}Delete{% endtrans %}</a>
+                        <form class="inline-form" method="post" action="{{ url_for('management.delete_user', user_id = user.id) }}">
+                            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                            <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button>
+                        </form>
                         {% endif %}
                     </td>
                 </tr>