Add token to href to prevent CSRF
|Reported by:||HumanInternals||Owned by:||Steffen Hoffmann|
This isn't critical at all, but there's a CSRF issue. One can force other users to vote for tickets by making them send request to the vote URL. For example, he can embed it as an image in a ticket - and than anyone viewing the ticket and requesting the image would vote-up without knowing.
This can be fixed by passing the token in the URL and making sure its there when processing the request.