From 58f3733e58428f7f330856d757125f13eab5fb62 Mon Sep 17 00:00:00 2001 From: MaKyOtOx Date: Tue, 14 Dec 2021 14:19:49 +0100 Subject: [PATCH] Fix CSRF security issues in rules management apis --- rules/apis.py | 4 ++-- rules/templates/list-rules.html | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/apis.py b/rules/apis.py index 01a5636..91a10a1 100644 --- a/rules/apis.py +++ b/rules/apis.py @@ -66,7 +66,7 @@ def add_rule_api(request): return JsonResponse({'status': 'success'}) -@api_view(['GET']) +@api_view(['POST']) def toggle_rule_status_api(request, rule_id): """Change status of an alerting rule.""" rule = get_object_or_404(Rule, id=rule_id) @@ -79,7 +79,7 @@ def toggle_rule_status_api(request, rule_id): return JsonResponse({'status': 'success'}) -@api_view(['GET']) +@api_view(['POST']) def duplicate_rule_api(request, rule_id): """Duplicate an alerting rule.""" new_rule = get_object_or_404(Rule, id=rule_id) diff --git a/rules/templates/list-rules.html b/rules/templates/list-rules.html index 431c97f..ee99c24 100644 --- a/rules/templates/list-rules.html +++ b/rules/templates/list-rules.html @@ -328,7 +328,8 @@ var request = $.ajax({ url: "{% url 'duplicate_rule_api' 0 %}".replace("0", rule_id), - method: "GET", + method: "POST", + headers: {"X-CSRFToken": "{{ csrf_token }}"}, }); request.done(function(response){ if (response.status == 'success'){location.reload()} @@ -340,7 +341,7 @@ rule_id = e.currentTarget.getAttribute('rule-id'); var request = $.ajax({ url: "/rules/api/v1/change_status/"+rule_id, - method: "GET", + method: "POST", headers: {"X-CSRFToken": "{{ csrf_token }}"}, success: function(){ if (e.currentTarget.textContent == "Disabled") { @@ -407,7 +408,6 @@ var request = $.ajax({ url: delete_url, method: "POST", - // data: JSON.stringify(rules_to_delete), data: rules_to_delete, contentType: "application/json" });