A data altering method is done through a get request in AdminTaskToggleDoneView
, making it vulnerable to csrf attack. In django, get request is considered as a safe method and is not protected against csrf.
class AdminTaskToggleDoneView(LoginRequiredMixin, ManagerPermMixin, RedirectView):
permanent = False
pattern_name = "admin_tasks:detail"
def get(self, request, *args, **kwargs):
task_id = self.kwargs.get("pk", -1)
admin_task = get_object_or_404(AdminTask, id=task_id)
admin_task.completed = not admin_task.completed
admin_task.save() # <- Marked as completed
return super().get(request, *args, **kwargs)