Exclude front-page submit views from CSRF.

mapit/views/areas.py

@@ -10,6 +10,7 @@
 from django.core.urlresolvers import resolve, reverse
 from django.conf import settings
 from django.shortcuts import redirect, render
+from django.views.decorators.csrf import csrf_exempt
 
 from mapit.models import Area, Generation, Geometry, Code, Name
 from mapit.shortcuts import output_json, output_html, output_polygon, get_object_or_404, set_timeout
@@ -407,6 +408,7 @@ def areas_by_point_osgb(request, e, n, bb=False, format=''):
     return HttpResponseRedirect(redirect_path)
 
 
+@csrf_exempt
 def point_form_submitted(request):
     latlon = request.POST.get('pc', None)
     if not request.method == 'POST' or not latlon:

mapit/views/postcodes.py

@@ -6,6 +6,7 @@
 from django.contrib.gis.geos import Point
 from django.contrib.gis.measure import D
 from django.contrib.gis.db.models import Collect
+from django.views.decorators.csrf import csrf_exempt
 
 from mapit.models import Postcode, Area, Generation
 from mapit.utils import is_valid_postcode, is_valid_partial_postcode
@@ -140,6 +141,7 @@ def example_postcode_for_area(request, area_id, format='json'):
     return output_json(pc)
 
 
+@csrf_exempt
 def form_submitted(request):
     pc = request.POST.get('pc', None)
     if not request.method == 'POST' or not pc: