Merge pull request #6242 from saadmk11/allow-only-post

humitos · web-flow · commit 76ebeff8ce74 · 2019-10-09T16:01:43.000+02:00
Allow only post requests for delete views
diff --git a/readthedocs/projects/views/private.py b/readthedocs/projects/views/private.py
@@ -210,9 +210,9 @@ def form_valid(self, form):
 
 class ProjectVersionDeleteHTML(ProjectVersionMixin, GenericModelView):
 
-    http_method_names = ['get', 'post']
+    http_method_names = ['post']
 
-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
         version = self.get_object()
         if not version.active:
             version.built = False
@@ -228,9 +228,6 @@ def get(self, request, *args, **kwargs):
             )
         return HttpResponseRedirect(self.get_success_url())
 
-    def post(self, request, *args, **kwargs):
-        return self.get(request, *args, **kwargs)
-
 
 class ImportWizardView(
         ProjectImportMixin, ProjectSpamMixin, PrivateViewMixin,
@@ -635,17 +632,14 @@ def get_context_data(self, **kwargs):
 
 class ProjectTranslationsDelete(ProjectTranslationsMixin, GenericView):
 
-    http_method_names = ['get', 'post']
+    http_method_names = ['post']
 
-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
         project = self.get_project()
         translation = self.get_translation(kwargs['child_slug'])
         project.translations.remove(translation)
         return HttpResponseRedirect(self.get_success_url())
 
-    def post(self, request, *args, **kwargs):
-        return self.get(request, *args, **kwargs)
-
     def get_translation(self, slug):
         project = self.get_project()
         translation = get_object_or_404(
diff --git a/readthedocs/rtd_tests/tests/test_privacy_urls.py b/readthedocs/rtd_tests/tests/test_privacy_urls.py
@@ -240,10 +240,6 @@ class PrivateProjectAdminAccessTest(PrivateProjectMixin, TestCase):
         '/dashboard/import/manual/demo/': {'status_code': 302},
         '/dashboard/pip/': {'status_code': 301},
         '/dashboard/pip/subprojects/delete/sub/': {'status_code': 302},
-        '/dashboard/pip/translations/delete/sub/': {'status_code': 302},
-
-        # This depends on an inactive project
-        '/dashboard/pip/version/latest/delete_html/': {'status_code': 400},
 
         # 405's where we should be POST'ing
         '/dashboard/pip/users/delete/': {'status_code': 405},
@@ -254,6 +250,8 @@ class PrivateProjectAdminAccessTest(PrivateProjectMixin, TestCase):
         '/dashboard/pip/integrations/{integration_id}/sync/': {'status_code': 405},
         '/dashboard/pip/integrations/{integration_id}/delete/': {'status_code': 405},
         '/dashboard/pip/environmentvariables/{environmentvariable_id}/delete/': {'status_code': 405},
+        '/dashboard/pip/translations/delete/sub/': {'status_code': 405},
+        '/dashboard/pip/version/latest/delete_html/': {'status_code': 405},
     }
 
     def get_url_path_ctx(self):
@@ -290,6 +288,8 @@ class PrivateProjectUserAccessTest(PrivateProjectMixin, TestCase):
         '/dashboard/pip/integrations/{integration_id}/sync/': {'status_code': 405},
         '/dashboard/pip/integrations/{integration_id}/delete/': {'status_code': 405},
         '/dashboard/pip/environmentvariables/{environmentvariable_id}/delete/': {'status_code': 405},
+        '/dashboard/pip/translations/delete/sub/': {'status_code': 405},
+        '/dashboard/pip/version/latest/delete_html/': {'status_code': 405},
     }
 
     # Filtered out by queryset on projects that we don't own.
diff --git a/readthedocs/templates/projects/project_translations.html b/readthedocs/templates/projects/project_translations.html
@@ -44,7 +44,12 @@ <h3> {% trans "Existing Translations" %} </h3>
                   {{ lang_project.name }} ({{ lang_project.get_language_display }})
                 </a>
                 <ul class="module-item-menu">
-                  <li><a href="{% url "projects_translations_delete" project.slug lang_project.slug  %}">{% trans "Remove" %}</a></li>
+                  <li>
+                    <form method="post" action="{% url "projects_translations_delete" project.slug lang_project.slug %}">
+                      {% csrf_token %}
+                      <input type="submit" value="{% trans 'Remove' %}">
+                    </form>
+                  </li>
                 </ul>
               </li>
             {% empty %}
diff --git a/readthedocs/templates/projects/project_version_detail.html b/readthedocs/templates/projects/project_version_detail.html
@@ -19,11 +19,14 @@ <h2> Editing {{ version.slug }} </h2>
 
     {% if request.user|is_admin:project %}
       {% if not version.active and version.built %}
+        <form name="version_delete_html" method="post" action="{% url "project_version_delete_html" project.slug version.slug %}">
+          {% csrf_token %}
+        </form>
         <p class="empty">
-          {% url "project_version_delete_html" project.slug version.slug as version_delete_url %}
+          {# We are submitting the form using javascript because it breaks the UI design if we use buttons #}
           {% blocktrans trimmed %}
             This version is inactive but its documentation is still available online.
-            You can <a href="{{ version_delete_url }}">delete this version's documentation</a> if you want to remove it completely.
+            You can <a href="#" onclick="document.forms['version_delete_html'].submit();">delete this version's documentation</a> if you want to remove it completely.
           {% endblocktrans %}
         </p>
       {% endif %}
