From 4878495914fb9701bedc242eb5087394138c8ee3 Mon Sep 17 00:00:00 2001
From: Brian Picciano <mediocregopher@gmail.com>
Date: Tue, 29 Nov 2022 22:20:34 +0100
Subject: [PATCH] Don't check CSRF for manage and edit methods

---
 src/http/api.go | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/http/api.go b/src/http/api.go
index 480f826..ffe0f25 100644
--- a/src/http/api.go
+++ b/src/http/api.go
@@ -262,19 +262,21 @@ func (a *api) handler() http.Handler {
 
 	mux.Handle("/", a.blogHandler())
 
+	noCacheMiddleware := addResponseHeadersMiddleware(map[string]string{
+		"Cache-Control": "no-store, max-age=0",
+		"Pragma":        "no-cache",
+		"Expires":       "0",
+	})
+
 	h := applyMiddlewares(
 		apiutil.MethodMux(map[string]http.Handler{
-			"GET": applyMiddlewares(
-				mux,
-			),
+			"GET":    applyMiddlewares(mux),
+			"MANAGE": applyMiddlewares(mux, noCacheMiddleware),
+			"EDIT":   applyMiddlewares(mux, noCacheMiddleware),
 			"*": applyMiddlewares(
 				mux,
 				a.checkCSRFMiddleware,
-				addResponseHeadersMiddleware(map[string]string{
-					"Cache-Control": "no-store, max-age=0",
-					"Pragma":        "no-cache",
-					"Expires":       "0",
-				}),
+				noCacheMiddleware,
 			),
 		}),
 		setLoggerMiddleware(a.params.Logger),