Skip to content

Commit

Permalink
Fix CSRF security issues in rules management apis
Browse files Browse the repository at this point in the history
  • Loading branch information
MaKyOtOx committed Dec 14, 2021
1 parent ba276f9 commit 58f3733
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
4 changes: 2 additions & 2 deletions rules/apis.py
View file
Expand Up @@ -66,7 +66,7 @@ def add_rule_api(request):
return JsonResponse({'status': 'success'})


@api_view(['GET'])
@api_view(['POST'])
def toggle_rule_status_api(request, rule_id):
"""Change status of an alerting rule."""
rule = get_object_or_404(Rule, id=rule_id)
Expand All @@ -79,7 +79,7 @@ def toggle_rule_status_api(request, rule_id):
return JsonResponse({'status': 'success'})


@api_view(['GET'])
@api_view(['POST'])
def duplicate_rule_api(request, rule_id):
"""Duplicate an alerting rule."""
new_rule = get_object_or_404(Rule, id=rule_id)
Expand Down
6 changes: 3 additions & 3 deletions rules/templates/list-rules.html
View file
Expand Up @@ -328,7 +328,8 @@ <h4 class="modal-title" id="myModalLabel">Delete Rule ?</h4>

var request = $.ajax({
url: "{% url 'duplicate_rule_api' 0 %}".replace("0", rule_id),
method: "GET",
method: "POST",
headers: {"X-CSRFToken": "{{ csrf_token }}"},
});
request.done(function(response){
if (response.status == 'success'){location.reload()}
Expand All @@ -340,7 +341,7 @@ <h4 class="modal-title" id="myModalLabel">Delete Rule ?</h4>
rule_id = e.currentTarget.getAttribute('rule-id');
var request = $.ajax({
url: "/rules/api/v1/change_status/"+rule_id,
method: "GET",
method: "POST",
headers: {"X-CSRFToken": "{{ csrf_token }}"},
success: function(){
if (e.currentTarget.textContent == "Disabled") {
Expand Down Expand Up @@ -407,7 +408,6 @@ <h4 class="modal-title" id="myModalLabel">Delete Rule ?</h4>
var request = $.ajax({
url: delete_url,
method: "POST",
// data: JSON.stringify(rules_to_delete),
data: rules_to_delete,
contentType: "application/json"
});
Expand Down

0 comments on commit 58f3733

Please sign in to comment.