From 233b9629a21bca4515e4e1c5c97fbbbd0f43fc1e Mon Sep 17 00:00:00 2001
From: Herculino Trotta <netotrotta@gmail.com>
Date: Mon, 27 Jan 2025 21:41:55 -0300
Subject: [PATCH] fix(security): toasts and month_year_picker accessible
 without login

---
 app/apps/common/views.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/apps/common/views.py b/app/apps/common/views.py
index 24060b8..cd4efd7 100644
--- a/app/apps/common/views.py
+++ b/app/apps/common/views.py
@@ -4,14 +4,22 @@ from django.db.models.functions import ExtractYear, ExtractMonth
 from django.shortcuts import render
 from django.urls import reverse
 from django.utils import timezone
+from django.views.decorators.http import require_http_methods
 
+from apps.common.decorators.htmx import only_htmx
 from apps.transactions.models import Transaction
 
 
+@only_htmx
+@login_required
+@require_http_methods(["GET"])
 def toasts(request):
     return render(request, "common/fragments/toasts.html")
 
 
+@only_htmx
+@login_required
+@require_http_methods(["GET"])
 def month_year_picker(request):
     field = request.GET.get("field", "reference_date")
     for_ = request.GET.get("for", None)