allow only AJAX requests for post votes, otherwise it makes CSRF possible

[osqa.git] / forum / views / commands.py

diff --git a/forum/views/commands.py b/forum/views/commands.py
index 83a6211a8448a001555e5bbb7d157d3464d42cbf..51499a9fb26a9633955c71cb213f1f4e1b950e10 100644 (file)
--- a/forum/views/commands.py
+++ b/forum/views/commands.py
@@ -75,6 +75,10 @@ class CannotDoubleActionException(CommandException):
 
 @decorate.withfn(command)
 def vote_post(request, id, vote_type):
+    if not request.is_ajax():
+        raise CommandException(_("Invalid request"))
+
+
     post = get_object_or_404(Node, id=id).leaf
     user = request.user