CSRF vulnerability

[arthurdejong]

The view accepts vote updates as a GET request (actually any kind of request). As such it is trivial to use this to exploit the rating system from any third party site.

Example: site A uses django-ratings to rate some items. On site B add

<img src="http://A/rate-my-post/100/10" width="1" height="1" />

Any user visiting site B will rate the thing on site A.

The effects of this vulneraibility depend mostly on can_change_vote and allow_anonymous.