From 767b722025a3857dcaa0f0022193f1a422808a3d Mon Sep 17 00:00:00 2001
From: Paul Mathieu <paul@ponteilla.net>
Date: Wed, 6 Aug 2025 21:42:31 +0200
Subject: [PATCH] Fix another CSRF issue

Also turn that DEBUG to False, just for shits & giggles
---
 backend/zetikettes/tikette/views.py       | 3 ++-
 backend/zetikettes/zetikettes/settings.py | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/zetikettes/tikette/views.py b/backend/zetikettes/tikette/views.py
index b81a027..2144afc 100644
--- a/backend/zetikettes/tikette/views.py
+++ b/backend/zetikettes/tikette/views.py
@@ -5,7 +5,7 @@ from django.conf import settings
 from django.core.exceptions import PermissionDenied
 from django.http import JsonResponse
 from django.shortcuts import render
-from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
 from google.auth.transport import requests
 from google.oauth2 import id_token
 
@@ -51,6 +51,7 @@ def quirk_bold_allergens(ingredients):
 
 
 @auth_only
+@ensure_csrf_cookie
 def get_list(request):
     tikettes = [{
         'id': x.id,
diff --git a/backend/zetikettes/zetikettes/settings.py b/backend/zetikettes/zetikettes/settings.py
index f6ce435..9733ab7 100644
--- a/backend/zetikettes/zetikettes/settings.py
+++ b/backend/zetikettes/zetikettes/settings.py
@@ -27,7 +27,7 @@ MEDIA_URL = '/data/'
 SECRET_KEY = 'django-insecure-64qxpe55#9wy=5@#dl0)3w7ywxh48m!f&!slp9e7v4lh@hjdct'
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = False
 
 ALLOWED_HOSTS = ['*']
 CSRF_TRUSTED_ORIGINS = ['https://*.ponteilla.net']