Remove GET based actions that make server side changes.

Below are the actions identified by coderabbit, check first if it's really an issue or just false positive.  Check #4057 for more info.


 I've identified several endpoints that modify server-side state in response to GET requests, which could lead to CSRF vulnerabilities.

Here are the specific problematic functions:

    In website/views/issue.py:
        like_issue(request, issue_pk) - modifies user upvotes
        dislike_issue(request, issue_pk) - modifies user downvotes
        flag_issue(request, issue_pk) - modifies issue flags
        save_issue(request, issue_pk) - adds/removes saved issues
        unsave_issue(request, issue_pk) - removes saved issues

    In website/views/organization.py:
        like_activity(request, id) - modifies activity likes/approval
        dislike_activity(request, id) - modifies activity dislikes
        approve_activity(request, id) - changes approval status

None of these functions check for the request method, meaning they process changes via GET requests.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Uh oh!

Remove GET based actions that make server side changes. #4058

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Uh oh!

Remove GET based actions that make server side changes. #4058

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions