From 3d8813b485d189c235e5e07df2eefbd22a195687 Mon Sep 17 00:00:00 2001
From: saadmk11 <saad.mk112@gmail.com>
Date: Thu, 3 Oct 2019 21:12:00 +0600
Subject: [PATCH 1/3] allow only post request for delete views

---
 readthedocs/projects/views/private.py              | 14 ++++----------
 .../templates/projects/project_translations.html   |  7 ++++++-
 .../templates/projects/project_version_detail.html |  6 ++++--
 3 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/readthedocs/projects/views/private.py b/readthedocs/projects/views/private.py
index 72a0df2cd94..23ed1910fe4 100644
--- a/readthedocs/projects/views/private.py
+++ b/readthedocs/projects/views/private.py
@@ -215,9 +215,9 @@ def form_valid(self, form):
 
 class ProjectVersionDeleteHTML(ProjectVersionMixin, GenericModelView):
 
-    http_method_names = ['get', 'post']
+    http_method_names = ['post']
 
-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
         version = self.get_object()
         if not version.active:
             version.built = False
@@ -233,9 +233,6 @@ def get(self, request, *args, **kwargs):
             )
         return HttpResponseRedirect(self.get_success_url())
 
-    def post(self, request, *args, **kwargs):
-        return self.get(request, *args, **kwargs)
-
 
 class ImportWizardView(
         ProjectImportMixin, ProjectSpamMixin, PrivateViewMixin,
@@ -640,17 +637,14 @@ def get_context_data(self, **kwargs):
 
 class ProjectTranslationsDelete(ProjectTranslationsMixin, GenericView):
 
-    http_method_names = ['get', 'post']
+    http_method_names = ['post']
 
-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
         project = self.get_project()
         translation = self.get_translation(kwargs['child_slug'])
         project.translations.remove(translation)
         return HttpResponseRedirect(self.get_success_url())
 
-    def post(self, request, *args, **kwargs):
-        return self.get(request, *args, **kwargs)
-
     def get_translation(self, slug):
         project = self.get_project()
         translation = get_object_or_404(
diff --git a/readthedocs/templates/projects/project_translations.html b/readthedocs/templates/projects/project_translations.html
index dbcd9348626..70b0b2c47a2 100644
--- a/readthedocs/templates/projects/project_translations.html
+++ b/readthedocs/templates/projects/project_translations.html
@@ -44,7 +44,12 @@ <h3> {% trans "Existing Translations" %} </h3>
                   {{ lang_project.name }} ({{ lang_project.get_language_display }})
                 </a>
                 <ul class="module-item-menu">
-                  <li><a href="{% url "projects_translations_delete" project.slug lang_project.slug  %}">{% trans "Remove" %}</a></li>
+                  <li>
+                    <form method="post" action="{% url "projects_translations_delete" project.slug lang_project.slug %}">
+                      {% csrf_token %}
+                      <input type="submit" value="{% trans 'Remove' %}">
+                    </form>
+                  </li>
                 </ul>
               </li>
             {% empty %}
diff --git a/readthedocs/templates/projects/project_version_detail.html b/readthedocs/templates/projects/project_version_detail.html
index b10c23d1307..728be45f8fe 100644
--- a/readthedocs/templates/projects/project_version_detail.html
+++ b/readthedocs/templates/projects/project_version_detail.html
@@ -19,11 +19,13 @@ <h2> Editing {{ version.slug }} </h2>
 
     {% if request.user|is_admin:project %}
       {% if not version.active and version.built %}
+        <form name="version_delete_html" method="post" action="{% url "project_version_delete_html" project.slug version.slug %}">
+          {% csrf_token %}
+        </form>
         <p class="empty">
-          {% url "project_version_delete_html" project.slug version.slug as version_delete_url %}
           {% blocktrans trimmed %}
             This version is inactive but its documentation is still available online.
-            You can <a href="{{ version_delete_url }}">delete this version's documentation</a> if you want to remove it completely.
+            You can <a href="#" onclick="document.forms['version_delete_html'].submit();">delete this version's documentation</a> if you want to remove it completely.
           {% endblocktrans %}
         </p>
       {% endif %}

From 5b1bd80e4d85189171b5428f969937075db8ad04 Mon Sep 17 00:00:00 2001
From: saadmk11 <saad.mk112@gmail.com>
Date: Thu, 3 Oct 2019 22:40:54 +0600
Subject: [PATCH 2/3] Fixed tests

---
 readthedocs/rtd_tests/tests/test_privacy_urls.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/readthedocs/rtd_tests/tests/test_privacy_urls.py b/readthedocs/rtd_tests/tests/test_privacy_urls.py
index 18b23bf7734..08412efe323 100644
--- a/readthedocs/rtd_tests/tests/test_privacy_urls.py
+++ b/readthedocs/rtd_tests/tests/test_privacy_urls.py
@@ -238,10 +238,6 @@ class PrivateProjectAdminAccessTest(PrivateProjectMixin, TestCase):
         '/dashboard/import/manual/demo/': {'status_code': 302},
         '/dashboard/pip/': {'status_code': 301},
         '/dashboard/pip/subprojects/delete/sub/': {'status_code': 302},
-        '/dashboard/pip/translations/delete/sub/': {'status_code': 302},
-
-        # This depends on an inactive project
-        '/dashboard/pip/version/latest/delete_html/': {'status_code': 400},
 
         # 405's where we should be POST'ing
         '/dashboard/pip/users/delete/': {'status_code': 405},
@@ -252,6 +248,8 @@ class PrivateProjectAdminAccessTest(PrivateProjectMixin, TestCase):
         '/dashboard/pip/integrations/{integration_id}/sync/': {'status_code': 405},
         '/dashboard/pip/integrations/{integration_id}/delete/': {'status_code': 405},
         '/dashboard/pip/environmentvariables/{environmentvariable_id}/delete/': {'status_code': 405},
+        '/dashboard/pip/translations/delete/sub/': {'status_code': 405},
+        '/dashboard/pip/version/latest/delete_html/': {'status_code': 405},
     }
 
     def get_url_path_ctx(self):
@@ -288,6 +286,8 @@ class PrivateProjectUserAccessTest(PrivateProjectMixin, TestCase):
         '/dashboard/pip/integrations/{integration_id}/sync/': {'status_code': 405},
         '/dashboard/pip/integrations/{integration_id}/delete/': {'status_code': 405},
         '/dashboard/pip/environmentvariables/{environmentvariable_id}/delete/': {'status_code': 405},
+        '/dashboard/pip/translations/delete/sub/': {'status_code': 405},
+        '/dashboard/pip/version/latest/delete_html/': {'status_code': 405},
     }
 
     # Filtered out by queryset on projects that we don't own.

From 2df26fdae02d649f9a00cda9b8fe5dbe668526e5 Mon Sep 17 00:00:00 2001
From: saadmk11 <saad.mk112@gmail.com>
Date: Wed, 9 Oct 2019 19:06:40 +0600
Subject: [PATCH 3/3] comment added

---
 readthedocs/templates/projects/project_version_detail.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/readthedocs/templates/projects/project_version_detail.html b/readthedocs/templates/projects/project_version_detail.html
index 728be45f8fe..c9135dfaf0b 100644
--- a/readthedocs/templates/projects/project_version_detail.html
+++ b/readthedocs/templates/projects/project_version_detail.html
@@ -23,6 +23,7 @@ <h2> Editing {{ version.slug }} </h2>
           {% csrf_token %}
         </form>
         <p class="empty">
+          {# We are submitting the form using javascript because it breaks the UI design if we use buttons #}
           {% blocktrans trimmed %}
             This version is inactive but its documentation is still available online.
             You can <a href="#" onclick="document.forms['version_delete_html'].submit();">delete this version's documentation</a> if you want to remove it completely.