fix #1450 by adding CSRF-token to the mobile forms

TracksApp · Jan 2, 2014 · 77778da · 77778da
1 parent 468274c
commit 77778da
Showing 1 changed file with 20 additions and 14 deletions.
diff --git a/app/views/todos/show.m.erb b/app/views/todos/show.m.erb
@@ -4,36 +4,42 @@
 <h2><Actions><%= t('common.actions') %></h2>
 
 <form method="get" action="<%= edit_todo_path(@todo, :format => :m)%>">
-<button><%=t('todos.edit_action')%></button>
-<input type="hidden" name="_method" value="put" />
+	<button><%=t('todos.edit_action')%></button>
+	<input type="hidden" name="_method" value="put" />
 </form>
 
 <form method="post" action="<%=toggle_star_todo_path(@todo, :format=>:m)%>">
-<button><%=t('todos.star_action')%></button>
-<input type="hidden" name="_method" value="put" />
+	<button><%=t('todos.star_action')%></button>
+	<input type="hidden" name="_method" value="put" />
+	<%= token_tag %>
 </form>
 
 <form method="post" action="<%=toggle_check_todo_path(@todo, :format=>:m)%>">
-<button><%= t('todos.mark_complete')%></button>
-<input type="hidden" name="_method" value="put" />
+	<button><%= t('todos.mark_complete')%></button>
+	<input type="hidden" name="_method" value="put" />
+	<%= token_tag %>
 </form>
 
 <form method="post" action="<%=defer_todo_path(@todo, :format=>:m, :days => 1)%>">
-<button><%=t('todos.defer_x_days', :count => 1)%></button>
-<input type="hidden" name="_method" value="put" />
+	<button><%=t('todos.defer_x_days', :count => 1)%></button>
+	<input type="hidden" name="_method" value="put" />
+	<%= token_tag %>
 </form>
 
 <form method="post" action="<%=defer_todo_path(@todo, :format=>:m, :days => 2)%>">
-<button><%=t('todos.defer_x_days', :count => 2)%></button>
-<input type="hidden" name="_method" value="put" />
+	<button><%=t('todos.defer_x_days', :count => 2)%></button>
+	<input type="hidden" name="_method" value="put" />
+	<%= token_tag %>
 </form>
 
 <form method="post" action="<%=defer_todo_path(@todo, :format=>:m, :days => 3)%>">
-<button><%=t('todos.defer_x_days', :count => 3)%></button>
-<input type="hidden" name="_method" value="put" />
+	<button><%=t('todos.defer_x_days', :count => 3)%></button>
+	<input type="hidden" name="_method" value="put" />
+	<%= token_tag %>
 </form>
 
 <form method="post" action="<%=defer_todo_path(@todo, :format=>:m, :days => 7)%>">
-<button><%=t('todos.defer_x_days', :count => 7)%></button>
-<input type="hidden" name="_method" value="put" />
+	<button><%=t('todos.defer_x_days', :count => 7)%></button>
+	<input type="hidden" name="_method" value="put" />
+	<%= token_tag %>
 </form>