CSRF to accept/refuse an invation to join a team

[Changaco]

www/%username/membership/%action.spt uses unprotected GET requests. This has been known for years and isn't a significant vulnerability, but we should probably fix it anyway, if only to avoid future reports.

[catmar22]

Hello @Changaco I would love to help with this if possible! Would you be able to please give me more information like maybe if you could direct me to the relevant files and how you would want this issue fixed?

[Changaco]

@catmar22 The relevant files are www/%username/membership/%action.spt and emails/team_invite.spt. I see two possible ways to fix this. The first one is to keep the team_invite notification as it is and only modify %action.spt to ask the user to confirm that they want to join or leave the team. The second possibility is to merge the two buttons “Accept” and “Refuse” in the notification to “Accept or refuse the invitation”, so that users don't feel like we're asking them to make the same choice twice.