From 2f279ac89d66c777e12e4e9f2a0ff0d0aed8883a Mon Sep 17 00:00:00 2001
From: Caine <caine@jihakuz.xyz>
Date: Thu, 2 Apr 2026 23:12:16 +0100
Subject: CSRF exempt HTMX views (localhost-only app)

---
 kitchen/views_htmx.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kitchen/views_htmx.py b/kitchen/views_htmx.py
index 5fc7e67..7d011c9 100644
--- a/kitchen/views_htmx.py
+++ b/kitchen/views_htmx.py
@@ -7,6 +7,7 @@ from decimal import Decimal
 
 from django.http import HttpResponse
 from django.shortcuts import render, get_object_or_404
+from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST, require_http_methods
 
 from .models import (
@@ -194,6 +195,7 @@ def log_page(request):
 
 # --- HTMX Actions ---
 
+@csrf_exempt
 @require_POST
 def pantry_add(request):
     name = request.POST.get("ingredient_name", "").strip()
@@ -238,6 +240,7 @@ def pantry_add(request):
     return render(request, "kitchen/partials/pantry_table.html", ctx)
 
 
+@csrf_exempt
 @require_http_methods(["DELETE"])
 def pantry_delete(request, item_id):
     item = get_object_or_404(PantryItem, id=item_id)
@@ -246,6 +249,7 @@ def pantry_delete(request, item_id):
     return render(request, "kitchen/partials/pantry_table.html", ctx)
 
 
+@csrf_exempt
 @require_POST
 def shopping_generate(request):
     """Generate smart shopping list and return updated HTML."""
@@ -293,6 +297,7 @@ def shopping_generate(request):
     return render(request, "kitchen/partials/shopping_list.html", {"items": items})
 
 
+@csrf_exempt
 @require_POST
 def shopping_toggle(request, item_id):
     item = get_object_or_404(ShoppingListItem, id=item_id)
@@ -305,6 +310,7 @@ def shopping_toggle(request, item_id):
     return render(request, "kitchen/partials/shopping_list.html", {"items": items})
 
 
+@csrf_exempt
 @require_POST
 def shopping_clear(request):
     ShoppingListItem.objects.filter(checked=True).delete()
-- 
cgit v1.2.3