From c11a43b7c5e76f3e4edb897e8e828ac5c91fa6bf Mon Sep 17 00:00:00 2001
From: Evert <imsonotsleepy@gmail.com>
Date: Sat, 11 Nov 2017 20:34:48 +0200
Subject: [PATCH] Show - Form hack with vote buttons - CSRF protection

---
 LandingPage/static/css/style.css |  3 +++
 Show/templates/episode.html      | 18 ++++++++++++------
 Show/views.py                    |  2 +-
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/LandingPage/static/css/style.css b/LandingPage/static/css/style.css
index e421c70..045cd4b 100644
--- a/LandingPage/static/css/style.css
+++ b/LandingPage/static/css/style.css
@@ -181,6 +181,9 @@ a.episode .submission_cnt {
   cursor: pointer;
   text-decoration: none;
 }
+.vote-btns form {
+  display: inline-block;
+}
 .vote-positive {
   background-color: #a4ffa7;
   color: #008005;
diff --git a/Show/templates/episode.html b/Show/templates/episode.html
index 0b3924d..9563ae7 100644
--- a/Show/templates/episode.html
+++ b/Show/templates/episode.html
@@ -41,12 +41,18 @@
 	<div class="submission{% if sbm.positives < sbm.negatives %} buried{% endif %}">
 		<a href="{{sbm.url}}" class="link"><i class="fa fa-fw fa-globe"></i>&nbsp;{{sbm.url}}</a>
 		<div class="vote-btns" data-vote-id="{{sbm.id}}">
-			<a href="/show/{{show.abbr}}/vote/{{sbm.id}}/1" class="vote-positive">
-				<i class="fa fa-fw fa-thumbs-up"></i>&nbsp;{{sbm.positives}}
-			</a>
-			<a href="/show/{{show.abbr}}/vote/{{sbm.id}}/0" class="vote-negative">
-				<i class="fa fa-fw fa-thumbs-down"></i>&nbsp;{{sbm.negatives}}
-			</a>
+			<form method="POST" action="/show/{{show.abbr}}/vote/{{sbm.id}}/1">
+				{% csrf_token %}
+				<button class="vote-positive">
+					<i class="fa fa-fw fa-thumbs-up"></i>&nbsp;{{sbm.positives}}
+				</button>
+			</form>
+			<form method="POST" action="/show/{{show.abbr}}/vote/{{sbm.id}}/0">
+				{% csrf_token %}
+				<button class="vote-negative">
+					<i class="fa fa-fw fa-thumbs-down"></i>&nbsp;{{sbm.negatives}}
+				</button>
+			</form>
 		</div>
 	</div>
 	{% empty %}
diff --git a/Show/views.py b/Show/views.py
index 1bcc5e3..ba23497 100644
--- a/Show/views.py
+++ b/Show/views.py
@@ -145,7 +145,7 @@ def SubmissionForm(req, abbreviation, season, episode):
 # Vote request
 # /show/{{abbr}}/vote/{{submission id}}/{{positive == 1}}
 class SubmissionVoteSubmit(View):
-    def get (self, req, abbreviation, subid, positive):
+    def post (self, req, abbreviation, subid, positive):
         # Convert positive parameter into a boolean
         pos_bool = int(positive) == 1