From 3e23bd3e4ee4c48e70678d09aa06a0074861ea88 Mon Sep 17 00:00:00 2001
From: Maciej Pienczyn <maciej.pienczyn@inpi.pl>
Date: Sun, 1 Feb 2026 14:11:59 +0100
Subject: [PATCH] fix: Add CSRF token to admin membership detail fetch requests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

All AJAX calls in membership_detail.html now include X-CSRFToken header
to prevent 'Błąd połączenia' errors when performing admin actions like
start-review, approve, reject, request-changes, and registry lookup.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 templates/admin/membership_detail.html | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/templates/admin/membership_detail.html b/templates/admin/membership_detail.html
index f77cfaa..db9ac3e 100644
--- a/templates/admin/membership_detail.html
+++ b/templates/admin/membership_detail.html
@@ -794,6 +794,7 @@
 {% block extra_js %}
 const appId = {{ application.id }};
 const appNip = '{{ application.nip or "" }}';
+const csrfToken = '{{ csrf_token() }}';
 let registryData = null;
 
 // Pobieranie danych z rejestru
@@ -815,7 +816,7 @@ async function lookupRegistry() {
     try {
         const response = await fetch('/api/membership/lookup-nip', {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
             body: JSON.stringify({ nip: appNip })
         });
 
@@ -912,7 +913,7 @@ async function applyRegistryData() {
     try {
         const response = await fetch(`/admin/membership/${appId}/update-from-registry`, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
             body: JSON.stringify(registryData)
         });
 
@@ -948,7 +949,7 @@ async function startReview() {
     try {
         const response = await fetch(`/admin/membership/${appId}/start-review`, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' }
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken }
         });
         const result = await response.json();
         if (result.success) {
@@ -968,7 +969,7 @@ async function approve() {
     try {
         const response = await fetch(`/admin/membership/${appId}/approve`, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
             body: JSON.stringify({ category_id: categoryId || null, comment: comment })
         });
         const result = await response.json();
@@ -993,7 +994,7 @@ async function reject() {
     try {
         const response = await fetch(`/admin/membership/${appId}/reject`, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
             body: JSON.stringify({ comment: comment })
         });
         const result = await response.json();
@@ -1017,7 +1018,7 @@ async function requestChanges() {
     try {
         const response = await fetch(`/admin/membership/${appId}/request-changes`, {
             method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
+            headers: { 'Content-Type': 'application/json', 'X-CSRFToken': csrfToken },
             body: JSON.stringify({ comment: comment })
         });
         const result = await response.json();