]> git.openstreetmap.org Git - osqa.git/commitdiff
allow only AJAX requests for post votes, otherwise it makes CSRF possible
authorjordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Tue, 22 May 2012 13:36:51 +0000 (13:36 +0000)
committerjordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Tue, 22 May 2012 13:36:51 +0000 (13:36 +0000)
git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@1266 0cfe37f9-358a-4d5e-be75-b63607b5c754

forum/views/commands.py

index 83a6211a8448a001555e5bbb7d157d3464d42cbf..51499a9fb26a9633955c71cb213f1f4e1b950e10 100644 (file)
@@ -75,6 +75,10 @@ class CannotDoubleActionException(CommandException):
 
 @decorate.withfn(command)
 def vote_post(request, id, vote_type):
 
 @decorate.withfn(command)
 def vote_post(request, id, vote_type):
+    if not request.is_ajax():
+        raise CommandException(_("Invalid request"))
+
+
     post = get_object_or_404(Node, id=id).leaf
     user = request.user
 
     post = get_object_or_404(Node, id=id).leaf
     user = request.user