CSRF exempt HTMX views (localhost-only app)

1 files changed, 6 insertions, 0 deletions

diff --git a/kitchen/views_htmx.py b/kitchen/views_htmx.py
index 5fc7e67..7d011c9 100644
--- a/kitchen/views_htmx.py
+++ b/kitchen/views_htmx.py
@@ -7,6 +7,7 @@ from decimal import Decimal
 
 from django.http import HttpResponse
 from django.shortcuts import render, get_object_or_404
+from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST, require_http_methods
 
 from .models import (
@@ -194,6 +195,7 @@ def log_page(request):
 
 # --- HTMX Actions ---
 
+@csrf_exempt
 @require_POST
 def pantry_add(request):
     name = request.POST.get("ingredient_name", "").strip()
@@ -238,6 +240,7 @@ def pantry_add(request):
     return render(request, "kitchen/partials/pantry_table.html", ctx)
 
 
+@csrf_exempt
 @require_http_methods(["DELETE"])
 def pantry_delete(request, item_id):
     item = get_object_or_404(PantryItem, id=item_id)
@@ -246,6 +249,7 @@ def pantry_delete(request, item_id):
     return render(request, "kitchen/partials/pantry_table.html", ctx)
 
 
+@csrf_exempt
 @require_POST
 def shopping_generate(request):
     """Generate smart shopping list and return updated HTML."""
@@ -293,6 +297,7 @@ def shopping_generate(request):
     return render(request, "kitchen/partials/shopping_list.html", {"items": items})
 
 
+@csrf_exempt
 @require_POST
 def shopping_toggle(request, item_id):
     item = get_object_or_404(ShoppingListItem, id=item_id)
@@ -305,6 +310,7 @@ def shopping_toggle(request, item_id):
     return render(request, "kitchen/partials/shopping_list.html", {"items": items})
 
 
+@csrf_exempt
 @require_POST
 def shopping_clear(request):
     ShoppingListItem.objects.filter(checked=True).delete()