Make wipe view not CSRF exempt

There is no reason to CSRF exempt this view since it's accessed via a form with POST action from the dashboard.
readthedocs · Dec 20, 2018 · a0477e6 · a0477e6
1 parent 5d4da21
commit a0477e6
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 2 deletions.
diff --git a/readthedocs/core/views/__init__.py b/readthedocs/core/views/__init__.py
@@ -14,7 +14,6 @@
 from django.conf import settings
 from django.http import HttpResponseRedirect, Http404, JsonResponse
 from django.shortcuts import render, get_object_or_404, redirect
-from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import TemplateView
 
 from readthedocs.builds.models import Version
@@ -72,7 +71,6 @@ def random_page(request, project_slug=None):  # pylint: disable=unused-argument
     return HttpResponseRedirect(url)
 
 
-@csrf_exempt
 def wipe_version(request, project_slug, version_slug):
     version = get_object_or_404(
         Version,

diff --git a/readthedocs/templates/wipe_version.html b/readthedocs/templates/wipe_version.html
@@ -30,6 +30,7 @@ <h3>
     {% endblocktrans %}
 
 <form method="post" action="#">
+  {% csrf_token %}
   <input type="submit" value="{% trans 'Wipe' %} {{ version.slug }}">
 </form>
 {% endif %}