Fix missing csrf token on admin task done view (#367)

chiefonboarding · Oct 2, 2023 · 7de93f5 · 7de93f5
1 parent 490339a
commit 7de93f5
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 17 deletions.
diff --git a/back/admin/admin_tasks/templates/admin_tasks_detail.html b/back/admin/admin_tasks/templates/admin_tasks_detail.html
@@ -2,13 +2,16 @@
 {% load i18n %}
 {% load crispy_forms_tags %}
 {% block actions %}
-<a type="submit" href="{% url 'admin_tasks:completed' object.id %}" class="btn btn-primary">
-  {% if object.completed %}
-    {% translate "Reopen" %}
-  {% else %}
-    {% translate "Complete" %}
-  {% endif %}
-</a>
+<form method="post" action="{% url 'admin_tasks:completed' object.id %}">
+  {% csrf_token %}
+  <button type="submit" class="btn btn-primary">
+    {% if object.completed %}
+      {% translate "Reopen" %}
+    {% else %}
+      {% translate "Complete" %}
+    {% endif %}
+  </button>
+</form>
 {% endblock %}
 
 {% block content %}

diff --git a/back/admin/admin_tasks/tests.py b/back/admin/admin_tasks/tests.py
@@ -292,7 +292,7 @@ def test_complete_admin_task(client, admin_factory, admin_task_factory):
     assert "Complete" in response.content.decode()
     assert complete_url in response.content.decode()
 
-    response = client.get(complete_url, follow=True)
+    response = client.post(complete_url, follow=True)
     task1.refresh_from_db()
     task2.refresh_from_db()
 

diff --git a/back/admin/admin_tasks/views.py b/back/admin/admin_tasks/views.py
@@ -1,9 +1,10 @@
 from django.contrib.messages.views import SuccessMessageMixin
 from django.http import Http404
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse, reverse_lazy
 from django.utils.translation import gettext as _
-from django.views.generic.base import RedirectView
+
+from django.views.generic.detail import BaseDetailView
 from django.views.generic.edit import CreateView, UpdateView
 from django.views.generic.list import ListView
 
@@ -45,16 +46,14 @@ def get_context_data(self, **kwargs):
         return context
 
 
-class AdminTaskToggleDoneView(LoginRequiredMixin, ManagerPermMixin, RedirectView):
-    permanent = False
-    pattern_name = "admin_tasks:detail"
+class AdminTaskToggleDoneView(LoginRequiredMixin, ManagerPermMixin, BaseDetailView):
+    model = AdminTask
 
-    def get(self, request, *args, **kwargs):
-        task_id = self.kwargs.get("pk", -1)
-        admin_task = get_object_or_404(AdminTask, id=task_id)
+    def post(self, request, *args, **kwargs):
+        admin_task = self.get_object()
         admin_task.completed = not admin_task.completed
         admin_task.save()
-        return super().get(request, *args, **kwargs)
+        return redirect("admin_tasks:detail", pk=admin_task.id)
 
 
 class AdminTasksCreateView(