From d14f0776086e5ebb2e7c4acca50d39d9db89cca8 Mon Sep 17 00:00:00 2001
From: Sean Alexandre <sean@alexan.org>
Date: Wed, 2 Sep 2015 21:39:03 -0400
Subject: [PATCH] network: CSRF check for (de)activating connections

Fixes issue #127
Network manager: fix CSRF when activating/deactivating network connections
https://github.com/freedombox/Plinth/issues/127
---
 plinth/modules/networks/networks.py           |  3 +
 .../networks/templates/connections_list.html  | 80 +++++++++++--------
 2 files changed, 50 insertions(+), 33 deletions(-)

diff --git a/plinth/modules/networks/networks.py b/plinth/modules/networks/networks.py
index 7c0ec3ede..e01854814 100644
--- a/plinth/modules/networks/networks.py
+++ b/plinth/modules/networks/networks.py
@@ -19,6 +19,7 @@ from django.contrib import messages
 from django.core.urlresolvers import reverse_lazy
 from django.shortcuts import redirect
 from django.template.response import TemplateResponse
+from django.views.decorators.http import require_POST
 from gettext import gettext as _
 from logging import Logger
 
@@ -167,6 +168,7 @@ def edit(request, uuid):
                                  'form': form})
 
 
+@require_POST
 def activate(request, uuid):
     """Activate the connection."""
     try:
@@ -184,6 +186,7 @@ def activate(request, uuid):
     return redirect(reverse_lazy('networks:index'))
 
 
+@require_POST
 def deactivate(request, uuid):
     """Deactivate the connection."""
     try:
diff --git a/plinth/modules/networks/templates/connections_list.html b/plinth/modules/networks/templates/connections_list.html
index 462a5eea9..34ee28b4a 100644
--- a/plinth/modules/networks/templates/connections_list.html
+++ b/plinth/modules/networks/templates/connections_list.html
@@ -23,15 +23,23 @@
 {% block page_head %}
   <style type="text/css">
     .connection-edit-label {
-      display: inline-block;
-      width: 40%;
+        display: inline-block;
+        width: 40%;
     }
+
     .connection-type-label {
-      display: inline-block;
-      width: 20%;
+        display: inline-block;
+        width: 20%;
     }
+
     .list-group-item .btn {
-      margin: -5px 0;
+        margin: -5px 0;
+    }
+
+    .dropdown-menu .btn {
+        background: none;
+        width: 100%;
+        text-align: left;
     }
   </style>
 {% endblock %}
@@ -59,35 +67,41 @@
             <span class="connection-type-label">{{ connection.type }}</span>
 
             {% if connection.is_active %}
-            <div class="btn-group">
-              <button type="button"
-                      class="btn btn-success btn-xs dropdown-toggle"
-                      data-toggle="dropdown" aria-expanded="false">
-                Active <span class="caret"></span>
-              </button>
-              <ul class="dropdown-menu" role="menu">
-                <li>
-                  <a href="{% url 'networks:deactivate' connection.uuid %}">
-                    Deactivate
-                  </a>
-                </li>
-              </ul>
-            </div>
+              <div class="btn-group">
+                <button type="button"
+                        class="btn btn-success btn-xs dropdown-toggle"
+                        data-toggle="dropdown" aria-expanded="false">
+                  Active <span class="caret"></span>
+                </button>
+                <ul class="dropdown-menu" role="menu">
+                  <li>
+                    <form name="toggle_form" id="toggle_form" class="form" method="post"
+                          action="{% url 'networks:deactivate' connection.uuid %}">
+                      {% csrf_token %}
+
+                      <button type="submit" class="btn">Deactivate</button>
+                    </form>
+                  </li>
+                </ul>
+              </div>
             {% else %}
-            <div class="btn-group">
-              <button type="button"
-                      class="btn btn-warning btn-xs dropdown-toggle"
-                      data-toggle="dropdown" aria-expanded="false">
-                Not Active <span class="caret"></span>
-              </button>
-              <ul class="dropdown-menu" role="menu">
-                <li>
-                  <a href="{% url 'networks:activate' connection.uuid %}">
-                    Activate
-                  </a>
-                </li>
-              </ul>
-            </div>
+              <div class="btn-group">
+                <button type="button"
+                        class="btn btn-warning btn-xs dropdown-toggle"
+                        data-toggle="dropdown" aria-expanded="false">
+                  Not Active <span class="caret"></span>
+                </button>
+                <ul class="dropdown-menu" role="menu">
+                  <li>
+                    <form name="toggle_form" id="toggle_form" class="form" method="post"
+                          action="{% url 'networks:activate' connection.uuid %}">
+                      {% csrf_token %}
+
+                      <button type="submit" class="btn">Activate</button>
+                    </form>
+                  </li>
+                </ul>
+              </div>
             {% endif %}
 
           </div>