From af2fac038c6b3dae8a7634ea07db203c8122dea8 Mon Sep 17 00:00:00 2001
From: Sam Splunks <72095718+samsplunks@users.noreply.github.com>
Date: Fri, 6 Dec 2024 09:19:06 +0000
Subject: [PATCH] Update votes with POST method and CSRF token

---
 .../templates/helpdesk/kb_category_base.html    |  6 ++++--
 helpdesk/tests/test_kb.py                       | 17 +++++++++--------
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/helpdesk/templates/helpdesk/kb_category_base.html b/helpdesk/templates/helpdesk/kb_category_base.html
index 4b276f0e..2b679e37 100644
--- a/helpdesk/templates/helpdesk/kb_category_base.html
+++ b/helpdesk/templates/helpdesk/kb_category_base.html
@@ -25,8 +25,10 @@
             <div class="row">
                 {% if request.user.pk %}
                 <div class="col-sm">
-                    <a href='{% url "helpdesk:kb_vote" item.pk "up" %}'><div class="btn btn-success btn-circle btn-xl"><i class="fa fa-thumbs-up fa-lg"></i></div></a>
-                    <a href='{% url "helpdesk:kb_vote" item.pk "down" %}'><div class="btn btn-danger btn-circle btn-xl"><i class="fa fa-thumbs-down fa-lg"></i></div></a>
+                    <form method="post" action="{% url "helpdesk:kb_vote" item.pk "up" %}" style="display: inline">{% csrf_token %}
+                    <button type="submit" class="btn btn-success btn-circle btn-xl"><i class="fa fa-thumbs-up fa-lg"></i></button></form>
+                    <form method="post" action="{% url "helpdesk:kb_vote" item.pk "down" %}" style="display: inline">{% csrf_token %}
+                    <button type="submit" class="btn btn-danger btn-circle btn-xl"><i class="fa fa-thumbs-down fa-lg"></i></submit></form>
                 </div>
                 {% endif %}
                 {% if staff %}
diff --git a/helpdesk/tests/test_kb.py b/helpdesk/tests/test_kb.py
index ab90ca3b..4430bf17 100644
--- a/helpdesk/tests/test_kb.py
+++ b/helpdesk/tests/test_kb.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-from django.test import TestCase
+from django.test import TestCase, Client
 from django.urls import reverse
 from helpdesk.models import KBCategory, KBItem, Queue, Ticket
 from helpdesk.tests.helpers import get_staff_user
@@ -64,19 +64,20 @@ class KBTests(TestCase):
         self.assertContains(response, '1 open tickets')
 
     def test_kb_vote(self):
-        self.client.login(username=self.user.get_username(),
+        client = Client(enforce_csrf_checks=True)
+        client.login(username=self.user.get_username(),
                           password='password')
-        response = self.client.get(
-            reverse('helpdesk:kb_vote', args=(self.kbitem1.pk, "up")))
+        response = client.post(
+            reverse('helpdesk:kb_vote', args=(self.kbitem1.pk, "up")), params={})
         cat_url = reverse('helpdesk:kb_category',
                           args=("test_cat",)) + "?kbitem=1"
         self.assertRedirects(response, cat_url)
-        response = self.client.get(cat_url)
+        response = client.get(cat_url)
         self.assertContains(response, '1 people found this answer useful of 1')
-        response = self.client.get(
-            reverse('helpdesk:kb_vote', args=(self.kbitem1.pk, "down")))
+        response = client.post(
+            reverse('helpdesk:kb_vote', args=(self.kbitem1.pk, "down")), params={})
         self.assertRedirects(response, cat_url)
-        response = self.client.get(cat_url)
+        response = client.get(cat_url)
         self.assertContains(response, '0 people found this answer useful of 1')
 
     def test_kb_category_iframe(self):