Fix master merge template/forms to include CSRF token

tailbone/templates/master/index.mako

@@ -55,10 +55,11 @@
 
 <%def name="grid_tools()">
   % if master.mergeable and request.has_perm('{}.merge'.format(permission_prefix)):
-    ${h.form(url('{}.merge'.format(route_prefix)), name='merge-things')}
+      ${h.form(url('{}.merge'.format(route_prefix)), name='merge-things')}
+      ${h.csrf_token(request)}
       ${h.hidden('uuids')}
       <button type="submit">Merge 2 ${model_title_plural}</button>
-    ${h.end_form()}
+      ${h.end_form()}
   % endif
 </%def>
 

tailbone/templates/master/merge.mako

@@ -132,6 +132,7 @@
 </table>
 
 ${h.form(request.current_route_url(), class_='merge')}
+${h.csrf_token(request)}
 <div class="buttons">
   ${h.hidden('uuids', value='{},{}'.format(object_to_remove.uuid, object_to_keep.uuid))}
   <a class="button" href="${index_url}">Whoops, nevermind</a>