fix: Add CSRF token to admin membership detail fetch requests

All AJAX calls in membership_detail.html now include X-CSRFToken header to prevent 'Błąd połączenia' errors when performing admin actions like start-review, approve, reject, request-changes, and registry lookup. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 14:11:59 +01:00 · 2026-02-01 14:11:59 +01:00 · 3e23bd3e4e
commit 3e23bd3e4e
parent ebc3dd63d3
1 changed files with 7 additions and 6 deletions
--- a/templates/admin/membership_detail.html
+++ b/templates/admin/membership_detail.html
@ -794,6 +794,7 @@
 {% block extra_js %}
 const appId = {{ application.id }};
 const appNip = '{{ application.nip or "" }}';
+const csrfToken = '{{ csrf_token() }}';
 let registryData = null;

 // Pobieranie danych z rejestru
@ -815,7 +816,7 @@ async function lookupRegistry() {
    try {
        const response = await fetch('/api/membership/lookup-nip', {
            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
            body: JSON.stringify({ nip: appNip })
        });

@ -912,7 +913,7 @@ async function applyRegistryData() {
    try {
        const response = await fetch(`/admin/membership/${appId}/update-from-registry`, {
            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
            body: JSON.stringify(registryData)
        });

@ -948,7 +949,7 @@ async function startReview() {
    try {
        const response = await fetch(`/admin/membership/${appId}/start-review`, {
            method: 'POST',
-            headers: { 'Content-Type': 'application/json' }
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken }
        });
        const result = await response.json();
        if (result.success) {
@ -968,7 +969,7 @@ async function approve() {
    try {
        const response = await fetch(`/admin/membership/${appId}/approve`, {
            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
            body: JSON.stringify({ category_id: categoryId || null, comment: comment })
        });
        const result = await response.json();
@ -993,7 +994,7 @@ async function reject() {
    try {
        const response = await fetch(`/admin/membership/${appId}/reject`, {
            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
            body: JSON.stringify({ comment: comment })
        });
        const result = await response.json();
@ -1017,7 +1018,7 @@ async function requestChanges() {
    try {
        const response = await fetch(`/admin/membership/${appId}/request-changes`, {
            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
            body: JSON.stringify({ comment: comment })
        });
        const result = await response.json();