Mitigate CSRF on user's settings #221

README.md

@@ -112,6 +112,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
 
 * Generate a new session on login and 2FA #220
+* Mitigate CSRF on user's settings #221
 
 ## 2.4.6 (2022-09-20)
 

rdiffweb/controller/pref_general.py

@@ -116,18 +116,19 @@ def render_prefs_panel(self, panelid, action=None, **kwargs):  # @UnusedVariable
         # Process the parameters.
         profile_form = UserProfileForm(email=self.app.currentuser.email)
         password_form = UserPasswordForm()
-        if action == "set_profile_info":
-            self._handle_set_profile_info(action, profile_form)
-        elif action == "set_password":
-            self._handle_set_password(action, password_form)
-        elif action == "update_repos":
-            self.app.currentuser.refresh_repos(delete=True)
-            flash(_("Repositories successfully updated"), level='success')
-        elif action is None:
-            pass
-        else:
-            _logger.warning("unknown action: %s", action)
-            raise cherrypy.NotFound("Unknown action")
+        if cherrypy.request.method == 'POST':
+            if action == "set_profile_info":
+                self._handle_set_profile_info(action, profile_form)
+            elif action == "set_password":
+                self._handle_set_password(action, password_form)
+            elif action == "update_repos":
+                self.app.currentuser.refresh_repos(delete=True)
+                flash(_("Repositories successfully updated"), level='success')
+            elif action is None:
+                pass
+            else:
+                _logger.warning("unknown action: %s", action)
+                raise cherrypy.NotFound("Unknown action")
         params = {
             'profile_form': profile_form,
             'password_form': password_form,