From a5f801bb526a18e9cbcea7de422b4c3c56540d3c Mon Sep 17 00:00:00 2001
From: Garret Wassermann <gwasser@gmail.com>
Date: Mon, 4 Oct 2021 23:13:38 -0400
Subject: [PATCH] use csrf tokens in all forms

---
 helpdesk/templates/helpdesk/ticket_desc_table.html | 13 ++++++++++++-
 helpdesk/views/staff.py                            |  2 ++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/helpdesk/templates/helpdesk/ticket_desc_table.html b/helpdesk/templates/helpdesk/ticket_desc_table.html
index 2bf4c922..36df46fb 100644
--- a/helpdesk/templates/helpdesk/ticket_desc_table.html
+++ b/helpdesk/templates/helpdesk/ticket_desc_table.html
@@ -15,7 +15,18 @@
                             <span class='ticket_toolbar float-right'>
                         <a href="{% url 'helpdesk:edit' ticket.id %}" class="ticket-edit"><button class="btn btn-warning btn-sm"><i class="fas fa-pencil-alt"></i> {% trans "Edit" %}</button></a>
                     | <a href="{% url 'helpdesk:delete' ticket.id %}" class="ticket-delete"><button class="btn btn-danger btn-sm"><i class="fas fa-trash-alt"></i> {% trans "Delete" %}</button></a>
-                    {% if ticket.on_hold %} | <a href="{% url 'helpdesk:unhold' ticket.id %}" class="ticket-hold"><button class="btn btn-warning btn-sm"><i class="fas fa-play"></i> {% trans "Unhold" %}</button></a>{% else %} | <a href="{% url 'helpdesk:hold' ticket.id %}" class="ticket-hold"><button class="btn btn-warning btn-sm"><i class="fas fa-pause"></i> {% trans "Hold" %}</button></a>{% endif %}
+                    |
+                    {% if ticket.on_hold %}
+                    <form class="form-inline ticket-hold" method='post' action='unhold/'>
+                        {% csrf_token %}
+                        <button class="btn btn-warning btn-sm" type='submit'><i class="fas fa-play"></i> {% trans "Unhold" %}</button>
+                    </form>
+                    {% else %}
+                    <form class="form-inline ticket-hold" method='post' action='hold/'>
+                        {% csrf_token %}
+                        <button class="btn btn-warning btn-sm" type='submit'><i class="fas fa-pause"></i> {% trans "Hold" %}</button>
+                    </form>
+                    {% endif %}
                     </span></th></tr>
                 </thead>
                 <tbody>
diff --git a/helpdesk/views/staff.py b/helpdesk/views/staff.py
index 6faf9df9..38598be5 100644
--- a/helpdesk/views/staff.py
+++ b/helpdesk/views/staff.py
@@ -1277,6 +1277,7 @@ raw_details = staff_member_required(raw_details)
 
 
 @helpdesk_staff_member_required
+@requires_csrf_token
 def hold_ticket(request, ticket_id, unhold=False):
     ticket = get_object_or_404(Ticket, id=ticket_id)
     ticket_perm_check(request, ticket)
@@ -1306,6 +1307,7 @@ hold_ticket = staff_member_required(hold_ticket)
 
 
 @helpdesk_staff_member_required
+@requires_csrf_token
 def unhold_ticket(request, ticket_id):
     return hold_ticket(request, ticket_id, unhold=True)