add csrf protection

app/routes/mod.py

@@ -1,5 +1,5 @@
 from flask import Blueprint, abort, redirect, url_for, request, render_template
-from ..auth import is_logged_in, get_active_user
+from ..auth import is_logged_in, get_active_user, csrf_verified
 from ..models import Topics, Threads
 bp = Blueprint('mod', __name__, url_prefix='/mod/')
 
@@ -81,13 +81,16 @@ def sticky_thread(thread_id):
     return redirect(url_for('threads.thread', slug=thread.slug))
 
 @bp.post('/users/<int:user_id>/make-guest/')
+@csrf_verified
 def make_user_guest(user_id):
     return 'stub'
 
 @bp.post('/users/<int:user_id>/make-user/')
+@csrf_verified
 def make_user_regular(user_id):
     return 'stub'
 
 @bp.post('/users/<int:user_id>/make-mod/')
+@csrf_verified
 def make_user_mod(user_id):
     return 'stub'

app/routes/users.py

@@ -2,7 +2,11 @@ from flask import Blueprint, redirect, url_for, render_template, request, sessio
 from functools import wraps
 import time
 
-from ..auth import digest, verify, create_session, is_logged_in, parse_username, is_password_valid, login_required
+from ..auth import (
+    digest, verify, create_session,
+    is_logged_in, parse_username, is_password_valid,
+    login_required
+    )
 from ..models import Users
 from ..constants import PermissionLevel
 from secrets import compare_digest as compare_timesafe
@@ -24,6 +28,11 @@ def redirect_if_logged_in(destination='topics.all_topics'):
 def log_in():
     return render_template('users/log_in.html')
 
+@bp.post('/log-out/')
+@login_required
+def log_out():
+    return 'stub'
+
 @bp.post('/log-in/')
 @redirect_if_logged_in()
 def log_in_post():
@@ -124,7 +133,3 @@ def inbox(username):
 def bookmarks(username):
     return 'stub'
 
-@bp.post('/<username>/log_out/')
-@login_required
-def log_out(username):
-    return 'stub'