From: jordan Date: Tue, 22 May 2012 13:36:51 +0000 (+0000) Subject: allow only AJAX requests for post votes, otherwise it makes CSRF possible X-Git-Tag: live~51 X-Git-Url: https://git.openstreetmap.org/osqa.git/commitdiff_plain/50637480556844227df0b01d911302110eed70a3 allow only AJAX requests for post votes, otherwise it makes CSRF possible git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@1266 0cfe37f9-358a-4d5e-be75-b63607b5c754 --- diff --git a/forum/views/commands.py b/forum/views/commands.py index 83a6211..51499a9 100644 --- a/forum/views/commands.py +++ b/forum/views/commands.py @@ -75,6 +75,10 @@ class CannotDoubleActionException(CommandException): @decorate.withfn(command) def vote_post(request, id, vote_type): + if not request.is_ajax(): + raise CommandException(_("Invalid request")) + + post = get_object_or_404(Node, id=id).leaf user = request.user