allow only AJAX requests for post votes, otherwise it makes CSRF possible

author jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>

Tue, 22 May 2012 13:36:51 +0000 (13:36 +0000)

committer jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>

Tue, 22 May 2012 13:36:51 +0000 (13:36 +0000)
author jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Tue, 22 May 2012 13:36:51 +0000 (13:36 +0000)
committer jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Tue, 22 May 2012 13:36:51 +0000 (13:36 +0000)
diff --git a/forum/views/commands.py b/forum/views/commands.py

index 83a6211a8448a001555e5bbb7d157d3464d42cbf..51499a9fb26a9633955c71cb213f1f4e1b950e10 100644 (file)
--- a/forum/views/commands.py
+++ b/forum/views/commands.py
@@ -75,6 +75,10 @@ class CannotDoubleActionException(CommandException):
  
  @decorate.withfn(command)
  def vote_post(request, id, vote_type):
+    if not request.is_ajax():
+        raise CommandException(_("Invalid request"))
+
+
      post = get_object_or_404(Node, id=id).leaf
      user = request.user
author	jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
	Tue, 22 May 2012 13:36:51 +0000 (13:36 +0000)
committer	jordan <jordan@0cfe37f9-358a-4d5e-be75-b63607b5c754>
	Tue, 22 May 2012 13:36:51 +0000 (13:36 +0000)