Fix CSRF vulnerability on approve/reject links

Fixes #17

app/__init__.py

@@ -3,14 +3,18 @@ from flask_user import *
 import flask_menu as menu
 from flask.ext import markdown
 from flask_github import GitHub
+from flask_wtf.csrf import CsrfProtect
 import os
 
+
+
 app = Flask(__name__)
 app.config.from_pyfile(os.environ["FLASK_CONFIG"])
 
 menu.Menu(app=app)
 markdown.Markdown(app, extensions=["fenced_code"], safe_mode=True, output_format="html5")
 github = GitHub(app)
+csrf = CsrfProtect(app)
 
 from . import models, tasks
 from .views import *

app/templates/packages/editrequest_view.html

@@ -29,9 +29,14 @@
 		</div>
 	{% elif package.checkPerm(current_user, "APPROVE_CHANGES") %}
 		<div class="box box_grey">
-			To resolve this request, either
-			<a href="{{ request.getApproveURL() }}">Approve and Apply</a> or
-			<a href="{{ request.getRejectURL() }}">Reject</a> it.
+			<form method="post" action="{{ request.getApproveURL() }}">
+				<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+				<input type="submit" value="Approve and Apply" />
+			</form>
+			<form method="post" action="{{ request.getRejectURL() }}">
+				<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+				<input type="submit" value="Reject" />
+			</form>
 		</div>
 	{% endif %}
 

app/templates/packages/view.html

@@ -10,7 +10,10 @@
 			<span class="icon_message"></span>
 			This package needs to be approved before it can be found.
 			{% if package.checkPerm(current_user, "APPROVE_NEW") %}
-				<a href="{{ package.getApproveURL() }}">Approve</a>
+				<form method="post" action="{{ package.getApproveURL() }}">
+					<input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
+					<input type="submit" value="Approve" />
+				</form>
 			{% endif %}
 			<div style="clear: both;"></div>
 		</div>

app/views/packages.py

@@ -172,7 +172,7 @@ def create_edit_package_page(author=None, name=None):
 
 	return render_template("packages/create_edit.html", package=package, form=form, author=author)
 
-@app.route("/packages/<author>/<name>/approve/")
+@app.route("/packages/<author>/<name>/approve/", methods=["POST"])
 @login_required
 @is_package_page
 def approve_package_page(package):
@@ -314,7 +314,7 @@ def view_editrequest_page(package, id):
 	return render_template("packages/editrequest_view.html", package=package, request=erequest)
 
 
-@app.route("/packages/<author>/<name>/requests/<id>/approve/")
+@app.route("/packages/<author>/<name>/requests/<id>/approve/", methods=["POST"])
 @is_package_page
 def approve_editrequest_page(package, id):
 	if not package.checkPerm(current_user, Permission.APPROVE_CHANGES):
@@ -339,7 +339,7 @@ def approve_editrequest_page(package, id):
 
 	return redirect(package.getDetailsURL())
 
-@app.route("/packages/<author>/<name>/requests/<id>/reject/")
+@app.route("/packages/<author>/<name>/requests/<id>/reject/", methods=["POST"])
 @is_package_page
 def reject_editrequest_page(package, id):
 	if not package.checkPerm(current_user, Permission.APPROVE_CHANGES):

app/views/tasks.py

@@ -1,7 +1,7 @@
 from flask import *
 from flask_user import *
 from flask.ext import menu
-from app import app
+from app import app, csrf
 from app.models import *
 from app.tasks import celery
 from app.tasks.importtasks import getMeta
@@ -10,6 +10,7 @@ from .utils import shouldReturnJson
 
 from .utils import *
 
+@csrf.exempt
 @app.route("/tasks/getmeta/new/", methods=["POST"])
 @login_required
 def new_getmeta_page():