Damn. This is the last one. #92

flaskbb/templates/message/drafts.html

@@ -18,8 +18,11 @@
             <td><a href="{{ url_for('user.view_message', message_id=message.id) }}">{% if message.subject %}{{ message.subject }}{% else %}({% trans %}No Subject{% endtrans %}){% endif %}</a></td>
             <td>{{ message.date_created|format_date('%d %B %Y') }}</td>
             <td>
-                <a href="{{ url_for('user.edit_message', message_id=message.id) }}">{% trans %}Edit{% endtrans %}</a> |
-                <a href="{{ url_for('user.move_message', message_id=message.id) }}">{% trans %}Delete{% endtrans %}</a>
+                <a href="{{ url_for('user.edit_message', message_id=message.id) }}">{% trans %}Continue{% endtrans %}</a> |
+                <form class="inline-form" method="post" action="{{ url_for('user.move_message', message_id=message.id) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button>
+                </form>
             </td>
         </tr>
         {% else %}

flaskbb/templates/message/inbox.html

@@ -25,7 +25,12 @@
                 </a>
             </td>
             <td>{{ message.date_created|time_since }}</td>
-            <td><a href="{{ url_for('user.move_message', message_id=message.id) }}">{% trans %}Delete{% endtrans %}</a></td>
+            <td>
+                <form class="inline-form" method="post" action="{{ url_for('user.move_message', message_id=message.id) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button>
+                </form>
+            </td>
         </tr>
         {% else %}
         <tr>

flaskbb/templates/message/sent.html

@@ -21,7 +21,12 @@
         {% endif %}
             <td><a href="{{ url_for('user.view_message', message_id=message.id) }}">{{ message.subject }}</a></td>
             <td>{{ message.date_created|time_since }}</td>
-            <td><a href="{{ url_for('user.move_message', message_id=message.id) }}">{% trans %}Delete{% endtrans %}</a></td>
+            <td>
+                <form class="inline-form" method="post" action="{{ url_for('user.move_message', message_id=message.id) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button>
+                </form>
+            </td>
         </tr>
         {% else %}
         <tr>

flaskbb/templates/message/trash.html

@@ -18,8 +18,14 @@
             <td><a href="{{ url_for('user.view_message', message_id=message.id) }}">{% if message.subject %}{{ message.subject }}{% else %}({% trans %}No Subject{% endtrans %}){% endif %}</a></td>
             <td>{{ message.date_created|format_date }}</td>
             <td>
-                <a href="{{ url_for('user.restore_message', message_id=message.id) }}">{% trans %}Restore{% endtrans %}</a> |
-                <a href="{{ url_for('user.delete_message', message_id=message.id) }}">{% trans %}Delete{% endtrans %}</a>
+                <form class="inline-form" method="post" action="{{ url_for('user.restore_message', message_id=message.id) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Restore{% endtrans %}</button> |
+                </form>
+                <form class="inline-form" method="post" action="{{ url_for('user.delete_message', message_id=message.id) }}">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+                    <button class="btn btn-link">{% trans %}Delete{% endtrans %}</button>
+                </form>
             </td>
         </tr>
         {% else %}

flaskbb/user/views.py

@@ -255,7 +255,7 @@ def edit_message(message_id):
                            title=_("Edit Message"))
 
 
-@user.route("/messages/<int:message_id>/move")
+@user.route("/messages/<int:message_id>/move", methods=["POST"])
 @login_required
 def move_message(message_id):
     message = PrivateMessage.query.filter_by(id=message_id).first_or_404()
@@ -265,7 +265,7 @@ def move_message(message_id):
     return redirect(url_for("user.inbox"))
 
 
-@user.route("/messages/<int:message_id>/restore")
+@user.route("/messages/<int:message_id>/restore", methods=["POST"])
 @login_required
 def restore_message(message_id):
     message = PrivateMessage.query.filter_by(id=message_id).first_or_404()
@@ -275,7 +275,7 @@ def restore_message(message_id):
     return redirect(url_for("user.inbox"))
 
 
-@user.route("/messages/<int:message_id>/delete")
+@user.route("/messages/<int:message_id>/delete", methods=["POST"])
 @login_required
 def delete_message(message_id):
     message = PrivateMessage.query.filter_by(id=message_id).first_or_404()