- changed DELETE request to POST for buddy requests

Updated the delete_buddy_request function from a GET to a POST request. This changes how the 'Delete' button behaves in the buddy_request template, transforming it into a dynamic form that submits a POST request. The modification improves the app's security by preventing potential CSRF vulnerabilities.

NEMO/templates/requests/buddy_requests/buddy_requests.html

@@ -30,8 +30,10 @@ <h3>{{ date.grouper|date }}</h3>
                                         <div class="buddy-list-item-buttons">
                                             {% url 'edit_buddy_request' br.id as edit_buddy_request_url %}
                                             {% button type="edit" size="small" url=edit_buddy_request_url value="Edit" %}
-                                            {% url 'delete_buddy_request' br.id as delete_buddy_request_url %}
-                                            {% button type="delete" size="small" url=delete_buddy_request_url value="Delete" %}
+                                            <form style="display: inline-block" action="{% url 'delete_buddy_request' br.id %}" method="post">
+                                                {% csrf_token %}
+                                                {% button type="delete" size="small" submit=True value="Delete" %}
+                                            </form>
                                         </div>
                                     {% endif %}
                                 </div>

NEMO/views/buddy_requests.py

@@ -82,7 +82,7 @@ def create_buddy_request(request, request_id=None):
 
 
 @login_required
-@require_GET
+@require_POST
 def delete_buddy_request(request, request_id):
     buddy_request = get_object_or_404(BuddyRequest, id=request_id)