From d48351e1d1b978013c9fb2ef4c095ffd7084e23f Mon Sep 17 00:00:00 2001
From: Matthew Somerville <matthew@mysociety.org>
Date: Tue, 14 Feb 2017 10:05:50 +0000
Subject: [PATCH] Exclude front-page submit views from CSRF.

---
 mapit/views/areas.py     | 2 ++
 mapit/views/postcodes.py | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/mapit/views/areas.py b/mapit/views/areas.py
index 0553dadb..15ba5591 100644
--- a/mapit/views/areas.py
+++ b/mapit/views/areas.py
@@ -10,6 +10,7 @@
 from django.core.urlresolvers import resolve, reverse
 from django.conf import settings
 from django.shortcuts import redirect, render
+from django.views.decorators.csrf import csrf_exempt
 
 from mapit.models import Area, Generation, Geometry, Code, Name
 from mapit.shortcuts import output_json, output_html, output_polygon, get_object_or_404, set_timeout
@@ -407,6 +408,7 @@ def areas_by_point_osgb(request, e, n, bb=False, format=''):
     return HttpResponseRedirect(redirect_path)
 
 
+@csrf_exempt
 def point_form_submitted(request):
     latlon = request.POST.get('pc', None)
     if not request.method == 'POST' or not latlon:
diff --git a/mapit/views/postcodes.py b/mapit/views/postcodes.py
index a4f8250d..da1a07c4 100644
--- a/mapit/views/postcodes.py
+++ b/mapit/views/postcodes.py
@@ -6,6 +6,7 @@
 from django.contrib.gis.geos import Point
 from django.contrib.gis.measure import D
 from django.contrib.gis.db.models import Collect
+from django.views.decorators.csrf import csrf_exempt
 
 from mapit.models import Postcode, Area, Generation
 from mapit.utils import is_valid_postcode, is_valid_partial_postcode
@@ -140,6 +141,7 @@ def example_postcode_for_area(request, area_id, format='json'):
     return output_json(pc)
 
 
+@csrf_exempt
 def form_submitted(request):
     pc = request.POST.get('pc', None)
     if not request.method == 'POST' or not pc: