Add CSRF protection to workspace settings forms

[yogur]

Problem

Forms that change workspace settings are vulnerable to CSRF. A successful CSRF attack can lead to changing workspace user access list and to making private workspaces public.

The vulnerability can be reproduced on the form for changing user access by following these steps:

1. Copy the following code and save it in a new html file:

<html>
  <body>
    <form action="http://localhost:8080/workspace/1/users" method="POST">
      <input type="hidden" name="writeUsers" value="structurizr&#13;&#10;csrf&#45;write&#64;gmail&#46;com&#13;&#10;" />
      <input type="hidden" name="readUsers" value="csrf&#45;read&#64;gmail&#46;com&#13;&#10;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

2. Change the workspace ID number in form action from 1 to an ID number of an existing workspace.
3. Open the html file in a browser that's already authenticated to structurizr and click the submit button.
4. Note how the list of users that have access to the workspace has been updated.

Fix

The changes in the pull request add CSRF protection to seven forms.

I built the code locally and tested the fix to make sure it works.

[simonbrowndotje]

Thanks for the PR. Unfortunately the || uri.startsWith("/workspace") test is too wide in scope, and breaks other POST requests (e.g. /workspace/1/lock). Perhaps you could add more specific tests (e.g. uri.endsWith("/users"), etc)?

[yogur]

I wasn't aware of this.
Before I do any changes to the code, do you have any concerns with using regex to match paths? So for example for the path /workspace/123/images/delete, the test would be uri.matches("/workspace/\\d+/images/delete").