From 6f03a47129056b1cbdc876cc4b660d8dc56415b7 Mon Sep 17 00:00:00 2001
From: Marc Koch <marc.koch@propeace.de>
Date: Wed, 18 Jun 2025 17:00:30 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=A9=B9=20use=20csrf=5Fexempt=20decorator?=
 =?UTF-8?q?=20instead=20of=20CSRF=5FTRUSTED=5FORIGINS?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/booking.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/booking.py b/src/booking.py
index 1e591a8..a670b8b 100644
--- a/src/booking.py
+++ b/src/booking.py
@@ -7,7 +7,7 @@ import markdown
 
 import requests
 import shortuuid
-from django.conf.global_settings import CSRF_TRUSTED_ORIGINS
+from django.views.decorators.csrf import csrf_exempt
 from django.core.validators import URLValidator
 from django.db import models
 from django.shortcuts import render, get_object_or_404
@@ -40,8 +40,6 @@ app = Django(
     STATICFILES_DIRS=[
         BASE_DIR / "static",
     ],
-    CSRF_TRUSTED_ORIGINS=[host for host in
-                          os.getenv("DJANGO_ALLOWED_HOSTS", "").split(",")]
 )
 
 # Import ninja after nanodjango has been initialised to avoid this error:
@@ -250,6 +248,7 @@ def get_version():
 
 
 @api.get("/info")
+@csrf_exempt
 def info(request):
     if request.user.is_anonymous:
         user = APIKey.objects.get(key=request.auth.key).user
@@ -260,6 +259,7 @@ def info(request):
 
 
 @api.post("/{calendar}/event", response={201: EventSchemaOut})
+@csrf_exempt
 def create_event(request, calendar: str, event: EventSchemaIn):
     user = get_user(request)
     cal = get_object_or_404(Calendar, name=calendar)
@@ -271,6 +271,7 @@ def create_event(request, calendar: str, event: EventSchemaIn):
 
 
 @api.delete("/{calendar}/event/{event_id}", response={204: None})
+@csrf_exempt
 def delete_event(request, calendar: str, event_id: str):
     user = get_user(request)
     cal = get_object_or_404(Calendar, name=calendar)
@@ -286,6 +287,7 @@ app.route("api/", include=api.urls)
 
 
 @app.route("/")
+@csrf_exempt
 def home(request):
     return render(request, "index.html", {
         "content": get_markdown(),