Add CSRF protection to workspace settings forms

[yogur]

Problem

Forms that change workspace settings are vulnerable to CSRF. A successful CSRF attack can lead to changing workspace user access list and to making private workspaces public.

The vulnerability can be reproduced on the form for changing user access by following these steps:

1. Copy the following code and save it in a new html file:

<html>
  <body>
    <form action="http://localhost:8080/workspace/1/users" method="POST">
      <input type="hidden" name="writeUsers" value="structurizr&#13;&#10;csrf&#45;write&#64;gmail&#46;com&#13;&#10;" />
      <input type="hidden" name="readUsers" value="csrf&#45;read&#64;gmail&#46;com&#13;&#10;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

2. Change the workspace ID number in form action from 1 to an ID number of an existing workspace.
3. Open the html file in a browser that's already authenticated to structurizr and click the submit button.
4. Note how the list of users that have access to the workspace has been updated.

Fix

The changes in the pull request add CSRF protection to seven forms.

I built the code locally and tested the fix to make sure it works.