Merge pull request #135 from NHSDigital/fix-csrf-sonarqube-issues

Themitchell · web-flow · commit fd1201fcf8af · 2025-11-11T13:59:50.000Z
Only allow GET and POST requests for views
diff --git a/lung_cancer_screening/questions/views/age_range_exit.py b/lung_cancer_screening/questions/views/age_range_exit.py
@@ -1,7 +1,9 @@
 from django.shortcuts import render
+from django.views.decorators.http import require_GET
 
 from .decorators.participant_decorators import require_participant
 
+@require_GET
 @require_participant
 def age_range_exit(request):
     return render(
diff --git a/lung_cancer_screening/questions/views/date_of_birth.py b/lung_cancer_screening/questions/views/date_of_birth.py
@@ -1,11 +1,13 @@
 from django.shortcuts import render, redirect
 from django.urls import reverse
+from django.views.decorators.http import require_http_methods
 from datetime import date
 from dateutil.relativedelta import relativedelta
 
 from .decorators.participant_decorators import require_participant
 from ..forms.date_of_birth_form import DateOfBirthForm
 
+@require_http_methods(["GET", "POST"])
 @require_participant
 def date_of_birth(request):
     if request.method == "POST":
diff --git a/lung_cancer_screening/questions/views/ethnicity.py b/lung_cancer_screening/questions/views/ethnicity.py
@@ -1,9 +1,11 @@
 from django.shortcuts import render, redirect
 from django.urls import reverse
+from django.views.decorators.http import require_http_methods
 
 from .decorators.participant_decorators import require_participant
 from ..forms.ethnicity_form import EthnicityForm
 
+@require_http_methods(["GET", "POST"])
 @require_participant
 def ethnicity(request):
 
diff --git a/lung_cancer_screening/questions/views/gender.py b/lung_cancer_screening/questions/views/gender.py
@@ -1,9 +1,11 @@
 from django.shortcuts import render, redirect
 from django.urls import reverse
+from django.views.decorators.http import require_http_methods
 
 from .decorators.participant_decorators import require_participant
 from ..forms.gender_form import GenderForm
 
+@require_http_methods(["GET", "POST"])
 @require_participant
 def gender(request):
     if request.method == "POST":
diff --git a/lung_cancer_screening/questions/views/have_you_ever_smoked.py b/lung_cancer_screening/questions/views/have_you_ever_smoked.py
@@ -1,10 +1,12 @@
 from django.shortcuts import render, redirect
 from django.urls import reverse
+from django.views.decorators.http import require_http_methods
 
 from .decorators.participant_decorators import require_participant
 from ..forms.have_you_ever_smoked_form import HaveYouEverSmokedForm
 from ..models.response_set import HaveYouEverSmokedValues
 
+@require_http_methods(["GET", "POST"])
 @require_participant
 def have_you_ever_smoked(request):
     if request.method == "POST":
diff --git a/lung_cancer_screening/questions/views/height.py b/lung_cancer_screening/questions/views/height.py
@@ -1,9 +1,11 @@
 from django.shortcuts import render, redirect
+from django.views.decorators.http import require_http_methods
 
 from lung_cancer_screening.questions.forms.metric_height_form import MetricHeightForm
 from lung_cancer_screening.questions.forms.imperial_height_form import ImperialHeightForm
 from .decorators.participant_decorators import require_participant
 
+@require_http_methods(["GET", "POST"])
 @require_participant
 def height(request):
     unit = request.GET.get('unit')
diff --git a/lung_cancer_screening/questions/views/non_smoker_exit.py b/lung_cancer_screening/questions/views/non_smoker_exit.py
@@ -1,7 +1,9 @@
 from django.shortcuts import render
+from django.views.decorators.http import require_GET
 
 from .decorators.participant_decorators import require_participant
 
+@require_GET
 @require_participant
 def non_smoker_exit(request):
     return render(
diff --git a/lung_cancer_screening/questions/views/responses.py b/lung_cancer_screening/questions/views/responses.py
@@ -1,9 +1,11 @@
 from django.shortcuts import render, redirect
 from django.urls import reverse
 from django.utils import timezone
+from django.views.decorators.http import require_http_methods
 
 from .decorators.participant_decorators import require_participant
 
+@require_http_methods(["GET", "POST"])
 @require_participant
 def responses(request):
     response_set = request.participant.responseset_set.last()
diff --git a/lung_cancer_screening/questions/views/sex_at_birth.py b/lung_cancer_screening/questions/views/sex_at_birth.py
@@ -1,9 +1,11 @@
 from django.shortcuts import render, redirect
 from django.urls import reverse
+from django.views.decorators.http import require_http_methods
 
 from .decorators.participant_decorators import require_participant
 from ..forms.sex_at_birth_form import SexAtBirthForm
 
+@require_http_methods(["GET", "POST"])
 @require_participant
 def sex_at_birth(request):
     if request.method == "POST":
diff --git a/lung_cancer_screening/questions/views/start.py b/lung_cancer_screening/questions/views/start.py
@@ -1,9 +1,11 @@
 from django.shortcuts import render, redirect
 from django.urls import reverse
 from django.core.exceptions import ValidationError
+from django.views.decorators.http import require_http_methods
 
 from lung_cancer_screening.questions.models.participant import Participant
 
+@require_http_methods(["GET", "POST"])
 def start(request):
     if request.method == "POST":
         try:
diff --git a/lung_cancer_screening/questions/views/your_results.py b/lung_cancer_screening/questions/views/your_results.py
@@ -1,7 +1,7 @@
 from django.shortcuts import render
+from django.views.decorators.http import require_http_methods
 
-
-
+@require_http_methods(["GET"])
 def your_results(request):
     return render(
         request,
