From 23b036c2efe87c9eb2876b49fa9d112ed7a3e4c9 Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Wed, 18 Jan 2023 10:39:26 +0100
Subject: [PATCH 1/2] Enforce POST methods for delete domain view.

Avoids CSRF vulnerability.
---
 modoboa/admin/views/domain.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modoboa/admin/views/domain.py b/modoboa/admin/views/domain.py
index e762f2430..8064e234a 100644
--- a/modoboa/admin/views/domain.py
+++ b/modoboa/admin/views/domain.py
@@ -15,6 +15,7 @@
 from django.urls import reverse
 from django.utils.translation import ugettext as _, ungettext
 from django.views import generic
+from django.views.decorators import require_http_methods
 from django.views.decorators.csrf import ensure_csrf_cookie
 
 from modoboa.core import signals as core_signals
@@ -230,6 +231,7 @@ def editdomain(request, dom_id):
 
 @login_required
 @permission_required("admin.delete_domain")
+@require_http_methods(["POST"])
 def deldomain(request, dom_id):
     keepdir = request.POST.get("keepdir", "false") == "true"
     try:

From a6096f5a2c28fcdee6c0894cef89db0bd364f84e Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Wed, 18 Jan 2023 10:45:48 +0100
Subject: [PATCH 2/2] Fixed wrong import

---
 modoboa/admin/views/domain.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modoboa/admin/views/domain.py b/modoboa/admin/views/domain.py
index 8064e234a..3eb0c53c0 100644
--- a/modoboa/admin/views/domain.py
+++ b/modoboa/admin/views/domain.py
@@ -15,8 +15,8 @@
 from django.urls import reverse
 from django.utils.translation import ugettext as _, ungettext
 from django.views import generic
-from django.views.decorators import require_http_methods
 from django.views.decorators.csrf import ensure_csrf_cookie
+from django.views.decorators.http import require_http_methods
 
 from modoboa.core import signals as core_signals
 from modoboa.lib.exceptions import PermDeniedException