From ca5ad07f262dd528035bd6c119cca81288693c77 Mon Sep 17 00:00:00 2001
From: Jocadbz <joaquimmadureira@protonmail.com>
Date: Fri, 6 Mar 2026 14:53:20 -0300
Subject: [PATCH] Add CSRF checks to news.

---
 handlers/news.go          | 6 ++++++
 templates/pages/news.html | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/handlers/news.go b/handlers/news.go
index 1aff94d..9fbe070 100644
--- a/handlers/news.go
+++ b/handlers/news.go
@@ -26,6 +26,11 @@ func NewsHandler(app *App) http.HandlerFunc {
 		}
 
 		if r.Method == http.MethodPost && loggedIn && isAdmin {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			if action := r.URL.Query().Get("action"); action == "delete" {
 				newsIDStr := r.URL.Query().Get("id")
 				newsID, err := strconv.Atoi(newsIDStr)
@@ -85,6 +90,7 @@ func NewsHandler(app *App) http.HandlerFunc {
 				BasePath:         app.Config.ThreadrDir,
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
+				CSRFToken:        app.csrfToken(session),
 			},
 			News:    newsItems,
 			IsAdmin: isAdmin,
diff --git a/templates/pages/news.html b/templates/pages/news.html
index f63ba2c..ad1c8c8 100644
--- a/templates/pages/news.html
+++ b/templates/pages/news.html
@@ -20,6 +20,7 @@
                     <p>{{.Content}}</p>
                     {{if $.IsAdmin}}
                     <form method="post" action="{{$.BasePath}}/news/?action=delete&id={{.ID}}" style="display:inline;">
+                        <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                         <button type="submit" onclick="return confirm('Are you sure you want to delete this news item?')">Delete</button>
                     </form>
                     {{end}}
@@ -34,6 +35,7 @@
         <section>
             <h3>Post New Announcement</h3>
             <form method="post" action="{{.BasePath}}/news/">
+                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                 <label for="title">Title:</label>
                 <input type="text" id="title" name="title" required maxlength="255"><br>
                 <label for="content">Content:</label>
@@ -46,4 +48,4 @@
     {{template "cookie_banner" .}}
 </body>
 </html>
-{{end}}
\ No newline at end of file
+{{end}}