From 86d495191766e3434c5e207bd82a14c8e9d9848b Mon Sep 17 00:00:00 2001
From: Maciej Pienczyn <maciej.pienczyn@inpi.pl>
Date: Wed, 4 Feb 2026 11:47:02 +0100
Subject: [PATCH] fix(board): Add CSRF tokens to publish forms and handle
 CSRFError

Both agenda and protocol publish forms were missing CSRF tokens,
causing 'CSRF Token is missing' raw error. Adds hidden csrf_token
inputs and a global CSRFError handler that shows a friendly flash
message instead of raw system error.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 app.py                            |  8 ++++++++
 templates/board/meeting_view.html | 10 ++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index 8c17bb8..da37378 100644
--- a/app.py
+++ b/app.py
@@ -1256,6 +1256,14 @@ def not_found(error):
     return render_template('errors/404.html'), 404
 
 
+from flask_wtf.csrf import CSRFError
+
+@app.errorhandler(CSRFError)
+def handle_csrf_error(e):
+    flash('Sesja wygasła lub formularz został nieprawidłowo przesłany. Spróbuj ponownie.', 'warning')
+    return redirect(request.referrer or url_for('index'))
+
+
 def send_registration_notification(user_info):
     """Send email notification when a new user registers"""
     try:
diff --git a/templates/board/meeting_view.html b/templates/board/meeting_view.html
index 101766b..9984560 100644
--- a/templates/board/meeting_view.html
+++ b/templates/board/meeting_view.html
@@ -120,6 +120,10 @@
         background: #059669;
     }
 
+    .inline-form {
+        display: inline;
+    }
+
     .btn-back {
         background: var(--bg-secondary);
         color: var(--text-secondary);
@@ -461,7 +465,8 @@
                 </a>
 
                 {% if meeting.status == 'draft' %}
-                <form action="{{ url_for('board.meeting_publish_agenda', meeting_id=meeting.id) }}" method="POST" style="display: inline;">
+                <form action="{{ url_for('board.meeting_publish_agenda', meeting_id=meeting.id) }}" method="POST" class="inline-form">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
                     <button type="submit" class="btn-action btn-publish" onclick="return confirm('Czy na pewno chcesz opublikować program posiedzenia?')">
                         <svg fill="none" stroke="currentColor" stroke-width="2" viewBox="0 0 24 24">
                             <path d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"/>
@@ -470,7 +475,8 @@
                     </button>
                 </form>
                 {% elif meeting.status in ['agenda_published', 'protocol_draft'] %}
-                <form action="{{ url_for('board.meeting_publish_protocol', meeting_id=meeting.id) }}" method="POST" style="display: inline;">
+                <form action="{{ url_for('board.meeting_publish_protocol', meeting_id=meeting.id) }}" method="POST" class="inline-form">
+                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
                     <button type="submit" class="btn-action btn-publish" onclick="return confirm('Czy na pewno chcesz opublikować protokół?')">
                         <svg fill="none" stroke="currentColor" stroke-width="2" viewBox="0 0 24 24">
                             <path d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z"/>