[WIP] CSRF Fixes. #92

flaskbb/forum/views.py

@@ -196,8 +196,8 @@ def delete_topic(topic_id, slug=None):
     return redirect(url_for("forum.view_forum", forum_id=topic.forum_id))
 
 
-@forum.route("/topic/<int:topic_id>/lock")
-@forum.route("/topic/<int:topic_id>-<slug>/lock")
+@forum.route("/topic/<int:topic_id>/lock", methods=["POST"])
+@forum.route("/topic/<int:topic_id>-<slug>/lock", methods=["POST"])
 @login_required
 def lock_topic(topic_id, slug=None):
     topic = Topic.query.filter_by(id=topic_id).first_or_404()
@@ -214,8 +214,8 @@ def lock_topic(topic_id, slug=None):
     return redirect(topic.url)
 
 
-@forum.route("/topic/<int:topic_id>/unlock")
-@forum.route("/topic/<int:topic_id>-<slug>/unlock")
+@forum.route("/topic/<int:topic_id>/unlock", methods=["POST"])
+@forum.route("/topic/<int:topic_id>-<slug>/unlock", methods=["POST"])
 @login_required
 def unlock_topic(topic_id, slug=None):
     topic = Topic.query.filter_by(id=topic_id).first_or_404()
@@ -233,8 +233,8 @@ def unlock_topic(topic_id, slug=None):
     return redirect(topic.url)
 
 
-@forum.route("/topic/<int:topic_id>/highlight")
-@forum.route("/topic/<int:topic_id>-<slug>/highlight")
+@forum.route("/topic/<int:topic_id>/highlight", methods=["POST"])
+@forum.route("/topic/<int:topic_id>-<slug>/highlight", methods=["POST"])
 @login_required
 def highlight_topic(topic_id, slug=None):
     topic = Topic.query.filter_by(id=topic_id).first_or_404()
@@ -249,8 +249,8 @@ def highlight_topic(topic_id, slug=None):
     return redirect(topic.url)
 
 
-@forum.route("/topic/<int:topic_id>/trivialize")
-@forum.route("/topic/<int:topic_id>-<slug>/trivialize")
+@forum.route("/topic/<int:topic_id>/trivialize", methods=["POST"])
+@forum.route("/topic/<int:topic_id>-<slug>/trivialize", methods=["POST"])
 @login_required
 def trivialize_topic(topic_id, slug=None):
     topic = Topic.query.filter_by(id=topic_id).first_or_404()
@@ -536,8 +536,8 @@ def topictracker():
     return render_template("forum/topictracker.html", topics=topics)
 
 
-@forum.route("/topictracker/<int:topic_id>/add")
-@forum.route("/topictracker/<int:topic_id>-<slug>/add")
+@forum.route("/topictracker/<int:topic_id>/add", methods=["POST"])
+@forum.route("/topictracker/<int:topic_id>-<slug>/add", methods=["POST"])
 @login_required
 def track_topic(topic_id, slug=None):
     topic = Topic.query.filter_by(id=topic_id).first_or_404()
@@ -546,8 +546,8 @@ def track_topic(topic_id, slug=None):
     return redirect(topic.url)
 
 
-@forum.route("/topictracker/<int:topic_id>/delete")
-@forum.route("/topictracker/<int:topic_id>-<slug>/delete")
+@forum.route("/topictracker/<int:topic_id>/delete", methods=["POST"])
+@forum.route("/topictracker/<int:topic_id>-<slug>/delete", methods=["POST"])
 @login_required
 def untrack_topic(topic_id, slug=None):
     topic = Topic.query.filter_by(id=topic_id).first_or_404()

flaskbb/templates/forum/topic_controls.html

@@ -1,46 +1,23 @@
-<div class="pull-left" style="padding-bottom: 10px">
+<div class="pull-left">
     {{ render_pagination(posts, topic.url) }}
 </div> <!-- end span pagination -->
 
-<div class="pull-right" style="padding-bottom: 10px">
-    <div class="btn btn-group">
-        {% if current_user|delete_topic(topic) %}
-        <a href="{{ url_for('forum.delete_topic', topic_id=topic.id, slug=topic.slug) }}" class="btn btn-danger">
-            <span class="fa fa-trash-o"></span> {% trans %}Delete Topic{% endtrans %}
-        </a>
-        {% endif %}
-        {% if current_user|can_moderate(topic.forum) %}
-            {% if not topic.locked %}
-            <a href="{{ url_for('forum.lock_topic', topic_id=topic.id, slug=topic.slug) }}" class="btn btn-warning">
-                <span class="fa fa-lock"></span> {% trans %}Lock Topic{% endtrans %}
-            </a>
-            {% else %}
-            <a href="{{ url_for('forum.unlock_topic', topic_id=topic.id, slug=topic.slug) }}" class="btn btn-warning">
-                <span class="fa fa-unlock"></span> {% trans %}Unlock Topic{% endtrans %}
-            </a>
-            {% endif %}
-            {% if not topic.important %}
-            <a href="{{ url_for('forum.highlight_topic', topic_id=topic.id, slug=topic.slug) }}" class="btn btn-success">
-                    <span class="fa fa-star"></span> {% trans %}Highlight Topic{% endtrans %}
-            </a>
-            {% else %}
-            <a href="{{ url_for('forum.trivialize_topic', topic_id=topic.id, slug=topic.slug) }}" class="btn btn-success">
-                <span class="fa fa-star-o"></span> {% trans %}Trivialize Topic{% endtrans %}
-            </a>
-            {% endif %}
-        {% endif %}
-    </div>
-
-    {% if current_user.is_authenticated() %}
-    <div class="btn btn-group">
+{% if current_user.is_authenticated() %}
+    <div class="pull-right" style="padding-left: 15px">
         {% if current_user.is_tracking_topic(topic) %}
-        <a href="{{ url_for('forum.untrack_topic', topic_id=topic.id, slug=topic.slug) }}" class="btn btn-default"><span class="fa fa-tag">
-            </span> {% trans %}Untrack Topic{% endtrans %}
-        </a>
+        <form class="inline-form" method="post" action="{{ url_for('forum.untrack_topic', topic_id=topic.id, slug=topic.slug) }}">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+            <button class="btn btn-default">
+                <span class="fa fa-tag" aria-hidden="true"></span> {% trans %}Untrack Topic{% endtrans %}
+            </button>
+        </form>
         {% else %}
-        <a href="{{ url_for('forum.track_topic', topic_id=topic.id, slug=topic.slug) }}" class="btn btn-default">
-            <span class="fa fa-tag"></span> {% trans %}Track Topic{% endtrans %}
-        </a>
+        <form class="inline-form" method="post" action="{{ url_for('forum.track_topic', topic_id=topic.id, slug=topic.slug) }}">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+            <button class="btn btn-default">
+                <span class="fa fa-tag" aria-hidden="true"></span> {% trans %}Track Topic{% endtrans %}
+            </button>
+        </form>
         {% endif %}
 
         {% if current_user|post_reply(topic) %}
@@ -49,7 +26,50 @@
         </a>
         {% endif %}
     </div>
+{% endif %}
+
+<div class="pull-right">
+{% if current_user|delete_topic(topic) %}
+    <form class="inline-form" method="post" action="{{ url_for('forum.delete_topic', topic_id=topic.id, slug=topic.slug) }}">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+        <button class="btn btn-danger">
+            <span class="fa fa-trash-o"></span> {% trans %}Delete Topic{% endtrans %}
+        </button>
+    </form>
+{% endif %}
+{% if current_user|can_moderate(topic) %}
+    {% if not topic.locked %}
+        <form class="inline-form" method="post" action="{{ url_for('forum.lock_topic', topic_id=topic.id, slug=topic.slug) }}">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+            <button class="btn btn-warning">
+                <span class="fa fa-lock"></span> {% trans %}Lock Topic{% endtrans %}
+            </button>
+        </form>
+    {% else %}
+        <form class="inline-form" method="post" action="{{ url_for('forum.unlock_topic', topic_id=topic.id, slug=topic.slug) }}">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+            <button class="btn btn-warning">
+                <span class="fa fa-unlock"></span> {% trans %}Unlock Topic{% endtrans %}
+            </button>
+        </form>
+    {% endif %}
+
+    {% if not topic.important %}
+        <form class="inline-form" method="post" action="{{ url_for('forum.highlight_topic', topic_id=topic.id, slug=topic.slug) }}">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+            <button class="btn btn-success">
+                <span class="fa fa-star"></span> {% trans %}Highlight Topic{% endtrans %}
+            </button>
+        </form>
+    {% else %}
+        <form class="inline-form" method="post" action="{{ url_for('forum.trivialize_topic', topic_id=topic.id, slug=topic.slug) }}">
+            <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+            <button class="btn btn-success">
+                <span class="fa fa-star-o"></span> {% trans %}Trivialize Topic{% endtrans %}
+            </button>
+        </form>
     {% endif %}
+{% endif %}
 </div>
 
 <div class="clearfix"></div>