From c2513ff84371e264d7369211e48aa368ad4b832c Mon Sep 17 00:00:00 2001
From: "Christopher C. Wells" <git@chris-wells.net>
Date: Sat, 31 Jul 2021 13:11:21 -0700
Subject: [PATCH] Use POST for timer stop and restart operations

---
 core/templates/core/timer_detail.html | 24 +++++++++++++-----------
 core/tests/tests_views.py             | 10 ++++++++--
 core/views.py                         |  2 ++
 3 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/core/templates/core/timer_detail.html b/core/templates/core/timer_detail.html
index ba1704e60..2bc5961a5 100644
--- a/core/templates/core/timer_detail.html
+++ b/core/templates/core/timer_detail.html
@@ -60,30 +60,32 @@ <h2 class="text-muted">
             </a>
         {% endif %}
 
-        <div class="btn-group btn-group-lg center-block" role="group" aria-label="{% trans "Timer actions" %}">
-
+        <div class="center-block" role="group" aria-label="{% trans "Timer actions" %}">
             {% if perms.core.delete_timer %}
-                <a class="btn btn-danger"
+                <a class="btn btn-lg btn-danger"
                    href="{% url 'core:timer-delete' timer.id %}"
                    role="button"><i class="icon icon-delete" aria-hidden="true"></i></a>
             {% endif %}
 
             {% if perms.core.change_timer %}
-                <a class="btn btn-primary"
+                <a class="btn btn-lg btn-primary"
                    href="{% url 'core:timer-update' timer.id %}"
                    role="button"><i class="icon icon-update" aria-hidden="true"></i></a>
 
-                <a class="btn btn-secondary"
-                   href="{% url 'core:timer-restart' timer.id %}"
-                   role="button"><i class="icon icon-refresh" aria-hidden="true"></i></a>
+                <form action="{% url 'core:timer-restart' timer.id %}" role="form" method="post" class="d-inline">
+                    {% csrf_token %}
+                    <label class="sr-only">{% trans "Restart timer" %}</label>
+                    <button type="submit" class="btn btn-lg btn-secondary"><i class="icon icon-refresh" aria-hidden="true"></i></button>
+                </form>
 
                 {% if object.active %}
-                    <a class="btn btn-warning"
-                       href="{% url 'core:timer-stop' timer.id %}"
-                       role="button"><i class="icon icon-stop" aria-hidden="true"></i></a>
+                    <form action="{% url 'core:timer-stop' timer.id %}" role="form" method="post" class="d-inline">
+                        {% csrf_token %}
+                        <label class="sr-only">{% trans "Delete timer" %}</label>
+                        <button type="submit" class="btn btn-lg btn-warning"><i class="icon icon-stop" aria-hidden="true"></i></button>
+                    </form>
                 {% endif %}
             {% endif %}
-
         </div>
     </div>
 {% endblock %}
diff --git a/core/tests/tests_views.py b/core/tests/tests_views.py
index d9ad4881a..07852dd93 100644
--- a/core/tests/tests_views.py
+++ b/core/tests/tests_views.py
@@ -125,9 +125,15 @@ def test_timer_views(self):
         self.assertEqual(page.status_code, 200)
         page = self.c.get('/timers/{}/delete/'.format(entry.id))
         self.assertEqual(page.status_code, 200)
-        page = self.c.get('/timers/{}/stop/'.format(entry.id), follow=True)
+
+        page = self.c.get('/timers/{}/stop/'.format(entry.id))
+        self.assertEqual(page.status_code, 405)
+        page = self.c.post('/timers/{}/stop/'.format(entry.id), follow=True)
         self.assertEqual(page.status_code, 200)
-        page = self.c.get('/timers/{}/restart/'.format(entry.id), follow=True)
+
+        page = self.c.get('/timers/{}/restart/'.format(entry.id))
+        self.assertEqual(page.status_code, 405)
+        page = self.c.post('/timers/{}/restart/'.format(entry.id), follow=True)
         self.assertEqual(page.status_code, 200)
 
         page = self.c.get('/timers/delete-inactive/', follow=True)
diff --git a/core/views.py b/core/views.py
index 0c1fbc4f0..44e1bc4ce 100644
--- a/core/views.py
+++ b/core/views.py
@@ -324,6 +324,7 @@ def get(self, request, *args, **kwargs):
 
 
 class TimerRestart(PermissionRequired403Mixin, RedirectView):
+    http_method_names = ['post']
     permission_required = ('core.change_timer',)
 
     def get(self, request, *args, **kwargs):
@@ -337,6 +338,7 @@ def get_redirect_url(self, *args, **kwargs):
 
 
 class TimerStop(PermissionRequired403Mixin, SuccessMessageMixin, RedirectView):
+    http_method_names = ['post']
     permission_required = ('core.change_timer',)
     success_message = _('%(timer)s stopped.')