Add CSRF checks to news.

handlers/news.go

@@ -26,6 +26,11 @@ func NewsHandler(app *App) http.HandlerFunc {
 		}
 
 		if r.Method == http.MethodPost && loggedIn && isAdmin {
+			if !app.validateCSRFToken(r, session) {
+				http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+				return
+			}
+
 			if action := r.URL.Query().Get("action"); action == "delete" {
 				newsIDStr := r.URL.Query().Get("id")
 				newsID, err := strconv.Atoi(newsIDStr)
@@ -85,6 +90,7 @@ func NewsHandler(app *App) http.HandlerFunc {
 				BasePath:         app.Config.ThreadrDir,
 				StaticPath:       app.Config.ThreadrDir + "/static",
 				CurrentURL:       r.URL.RequestURI(),
+				CSRFToken:        app.csrfToken(session),
 			},
 			News:    newsItems,
 			IsAdmin: isAdmin,

templates/pages/news.html

@@ -20,6 +20,7 @@
                     <p>{{.Content}}</p>
                     {{if $.IsAdmin}}
                     <form method="post" action="{{$.BasePath}}/news/?action=delete&id={{.ID}}" style="display:inline;">
+                        <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                         <button type="submit" onclick="return confirm('Are you sure you want to delete this news item?')">Delete</button>
                     </form>
                     {{end}}
@@ -34,6 +35,7 @@
         <section>
             <h3>Post New Announcement</h3>
             <form method="post" action="{{.BasePath}}/news/">
+                <input type="hidden" name="csrf_token" value="{{.CSRFToken}}">
                 <label for="title">Title:</label>
                 <input type="text" id="title" name="title" required maxlength="255"><br>
                 <label for="content">Content:</label>
@@ -46,4 +48,4 @@
     {{template "cookie_banner" .}}
 </body>
 </html>
-{{end}}
+{{end}}