v0.5.9: Fix CSRF error - only disable buttons, not inputs

matteius · matteius · commit bfefb5261e64 · 2026-01-18T13:39:33.000-05:00
- Don't disable CSRF token input during form submission
- Only disable buttons to prevent double-click
diff --git a/django_forms_workflows/__init__.py b/django_forms_workflows/__init__.py
@@ -3,7 +3,7 @@
 Enterprise-grade, database-driven form builder with approval workflows
 """
 
-__version__ = "0.5.8"
+__version__ = "0.5.9"
 __author__ = "Django Forms Workflows Contributors"
 __license__ = "LGPL-3.0-only"
 
diff --git a/django_forms_workflows/templates/django_forms_workflows/approve.html b/django_forms_workflows/templates/django_forms_workflows/approve.html
@@ -132,10 +132,10 @@ <h5 class="mb-0">Your Decision</h5>
         actionButtons.classList.add('d-none');
         loadingSpinner.classList.remove('d-none');
 
-        // Disable all form inputs to prevent double submission
-        const inputs = form.querySelectorAll('input, textarea, button');
-        inputs.forEach(function(input) {
-            input.disabled = true;
+        // Disable only buttons to prevent double-click (not inputs - that breaks CSRF)
+        const buttons = form.querySelectorAll('button');
+        buttons.forEach(function(btn) {
+            btn.disabled = true;
         });
     });
 });
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "django-forms-workflows"
-version = "0.5.8"
+version = "0.5.9"
 description = "Enterprise-grade, database-driven form builder with approval workflows and external data integration"
 license = "LGPL-3.0-only"
 readme = "README.md"
