Add CSRF checks to news.

2026-03-06 14:53:20 -03:00 · 2026-03-06 14:53:20 -03:00 · ca5ad07f26
parent 47ebf77f24
commit ca5ad07f26
2 changed files with 9 additions and 1 deletions
--- a/handlers/news.go
+++ b/handlers/news.go
@ -26,6 +26,11 @@ func NewsHandler(app *App) http.HandlerFunc {
 		}

 		if r.Method == http.MethodPost && loggedIn && isAdmin {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			if action := r.URL.Query().Get("action"); action == "delete" {
 				newsIDStr := r.URL.Query().Get("id")
 				newsID, err := strconv.Atoi(newsIDStr)
@ -85,6 +90,7 @@ func NewsHandler(app *App) http.HandlerFunc {
 				BasePath:         app.Config.ThreadrDir,
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
+				CSRFToken:        app.csrfToken(session),
 			},
 			News:    newsItems,
 			IsAdmin: isAdmin,
--- a/templates/pages/news.html
+++ b/templates/pages/news.html
@ -20,6 +20,7 @@
                    <p>{{.Content}}</p>
                    {{if $.IsAdmin}}
                    <form method="post" action="{{$.BasePath}}/news/?action=delete&id={{.ID}}" style="display:inline;">
+                        <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                        <button type="submit" onclick="return confirm('Are you sure you want to delete this news item?')">Delete</button>
                    </form>
                    {{end}}
@ -34,6 +35,7 @@
        <section>
            <h3>Post New Announcement</h3>
            <form method="post" action="{{.BasePath}}/news/">
+                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                <label for="title">Title:</label>
                <input type="text" id="title" name="title" required maxlength="255"><br>
                <label for="content">Content:</label>
@ -46,4 +48,4 @@
    {{template "cookie_banner" .}}
 </body>
 </html>
-{{end}}
+{{end}}