From 113f474e8bf7d2c5dad1eeb40afa7b28c4ec61be Mon Sep 17 00:00:00 2001
From: Lance Edgar <lance@edbob.org>
Date: Wed, 21 Dec 2016 11:58:59 -0600
Subject: [PATCH] Fix master merge template/forms to include CSRF token

---
 tailbone/templates/master/index.mako | 5 +++--
 tailbone/templates/master/merge.mako | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/tailbone/templates/master/index.mako b/tailbone/templates/master/index.mako
index 5bb155bf..a5ca6665 100644
--- a/tailbone/templates/master/index.mako
+++ b/tailbone/templates/master/index.mako
@@ -55,10 +55,11 @@
 
 <%def name="grid_tools()">
   % if master.mergeable and request.has_perm('{}.merge'.format(permission_prefix)):
-    ${h.form(url('{}.merge'.format(route_prefix)), name='merge-things')}
+      ${h.form(url('{}.merge'.format(route_prefix)), name='merge-things')}
+      ${h.csrf_token(request)}
       ${h.hidden('uuids')}
       <button type="submit">Merge 2 ${model_title_plural}</button>
-    ${h.end_form()}
+      ${h.end_form()}
   % endif
 </%def>
 
diff --git a/tailbone/templates/master/merge.mako b/tailbone/templates/master/merge.mako
index 8d3f11ff..d56416d7 100644
--- a/tailbone/templates/master/merge.mako
+++ b/tailbone/templates/master/merge.mako
@@ -132,6 +132,7 @@
 </table>
 
 ${h.form(request.current_route_url(), class_='merge')}
+${h.csrf_token(request)}
 <div class="buttons">
   ${h.hidden('uuids', value='{},{}'.format(object_to_remove.uuid, object_to_keep.uuid))}
   <a class="button" href="${index_url}">Whoops, nevermind</a>