From 50637480556844227df0b01d911302110eed70a3 Mon Sep 17 00:00:00 2001
From: jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Date: Tue, 22 May 2012 13:36:51 +0000
Subject: [PATCH] allow only AJAX requests for post votes, otherwise it makes
 CSRF possible

git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@1266 0cfe37f9-358a-4d5e-be75-b63607b5c754
---
 forum/views/commands.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/forum/views/commands.py b/forum/views/commands.py
index 83a6211..51499a9 100644
--- a/forum/views/commands.py
+++ b/forum/views/commands.py
@@ -75,6 +75,10 @@ class CannotDoubleActionException(CommandException):
 
 @decorate.withfn(command)
 def vote_post(request, id, vote_type):
+    if not request.is_ajax():
+        raise CommandException(_("Invalid request"))
+
+
     post = get_object_or_404(Node, id=id).leaf
     user = request.user
 
-- 
2.45.1