CSRF more mod pages

2013-09-23 16:48:56 +10:00
parent 00f4da3b82
commit c8062fbf76
18 changed files with 166 additions and 79 deletions
--- a/templates/mod/users.html
+++ b/templates/mod/users.html
@@ -48,10 +48,10 @@
 			{% endif %}
 			<td>
 				{% if mod|hasPermission(config.mod.promoteusers) and user.type < constant(config.mod.groups[0:-1]|last) %}
-					<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/promote" title="{% trans 'Promote' %}">&#9650;</a> 
+					<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/promote/{{ user.promote_token }}" title="{% trans 'Promote' %}">&#9650;</a> 
 				{% endif %}
 				{% if mod|hasPermission(config.mod.promoteusers) and user.type > constant(config.mod.groups|first) %}
-					<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/demote" title="{% trans 'Demote' %}"{% if mod.id == user.id %} onclick="return confirm('{% trans 'Are you sure you want to demote yourself?' %}')"{% endif %}>&#9660;</a> 
+					<a style="float:left;text-decoration:none" href="?/users/{{ user.id }}/demote/{{ user.demote_token }}" title="{% trans 'Demote' %}"{% if mod.id == user.id %} onclick="return confirm('{% trans 'Are you sure you want to demote yourself?' %}')"{% endif %}>&#9660;</a> 
 				{% endif %}
 				{% if mod|hasPermission(config.mod.modlog) %}
 					<a class="unimportant" style="margin-left:5px;float:right" href="?/log:{{ user.username|e }}">[{% trans 'log' %}]</a>