Merge branch '76-delete-lnk-csrf' into '2.2-dev'

Resolve "CSRF and CSRF-Like Protection" See merge request !86

Merge branch '76-delete-lnk-csrf' into '2.2-dev'
Resolve "CSRF and CSRF-Like Protection" See merge request !86
aa42adb0 · David Haynes · ea1a281e · ad20a50c · aa42adb0 · aa42adb0
Commit aa42adb0 authored Apr 19, 2017 by David Haynes 🙆
--- a/go/go/views.py
+++ b/go/go/views.py
@@ -329,7 +329,7 @@ def delete(request, short):
    url = get_object_or_404(URL, short__iexact=short)

    # If the RegisteredUser is the owner of the URL
-    if url.owner == request.user.registereduser:
+    if url.owner == request.user.registereduser and request.META['HTTP_REFERER'] == request.META['HTTP_HOST']:
        # remove the URL
        url.delete()
        # redirect to my_links

--- a/requirements/base.txt
+++ b/requirements/base.txt
 Django>=1.11
-django-crispy-forms==1.6.0
+django-crispy-forms==1.6.1
 django-ratelimit==1.0.1
 django-redis-cache==1.6.4
 git+https://github.com/dhaynespls/django-qrcode.git