From 50637480556844227df0b01d911302110eed70a3 Mon Sep 17 00:00:00 2001 From: jordan Date: Tue, 22 May 2012 13:36:51 +0000 Subject: [PATCH 1/1] allow only AJAX requests for post votes, otherwise it makes CSRF possible git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@1266 0cfe37f9-358a-4d5e-be75-b63607b5c754 --- forum/views/commands.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/forum/views/commands.py b/forum/views/commands.py index 83a6211..51499a9 100644 --- a/forum/views/commands.py +++ b/forum/views/commands.py @@ -75,6 +75,10 @@ class CannotDoubleActionException(CommandException): @decorate.withfn(command) def vote_post(request, id, vote_type): + if not request.is_ajax(): + raise CommandException(_("Invalid request")) + + post = get_object_or_404(Node, id=id).leaf user = request.user -- 2.39.5