Make antispam-protected links also be javascript-triggered

This makes a tiny javascript run to convert it into a POST and then
receive that POST. The idea behind this is to remove the links from view
of crawlers (hello AI bots!) that completely ignore robots.txt, causing
lots of redirect chains on account of logins.

We still allow GET requests on those endpoints, as there are external
links pointing to them as well as people having scripts. But those are
at least to fewer emails than all.

Author: mhagander

django/archives/mailarchives/templates/_message.html

@@ -30,10 +30,10 @@
  <tr>
    <th class="align-middle" scope="row">Views:</th>
    <td>
-     <a href="/message-id/raw/{{msg.messageid|urlencode}}">Raw Message</a> |
      <a href="/message-id/flat/{{msg.messageid|urlencode}}">Whole Thread</a> |
-     <a href="/message-id/mbox/{{msg.messageid|urlencode}}">Download mbox</a>
-{%if allow_resend %}| <a href="/message-id/resend/{{msg.messageid|urlencode}}">Resend email</a>{%endif%}
+     <a href="#" data-ref="/message-id/raw/{{msg.messageid|urlencode}}" class="post-link">Raw Message</a> |
+     <a href="#" data-ref="/message-id/mbox/{{msg.messageid|urlencode}}" class="post-link">Download mbox</a>
+{%if allow_resend %} | <a href="#" data-ref="/message-id/resend/{{msg.messageid|urlencode}}" class="post-link">Resend email</a>{%endif%}
    </td>
  </tr>
  {% if not show_all %}

django/archives/mailarchives/templates/message.html

@@ -6,4 +6,5 @@
 <h1 class="subject">{{msg.subject}}</h1>
 {%endif%}
 {% include '_message.html' with msg=msg lists=lists %}
+<form id="mail_other_options_form" method="post" action="/"></form>
 {%endblock%}

django/archives/mailarchives/templates/message_flat.html

@@ -23,4 +23,5 @@ <h1 id="flatMsgSubject" class="subject" data-isfirst="{{isfirst}}" data-msgid="{
   <hr style="margin-bottom: 0.5rem;" />
 {% endif %}
 {%endfor%}
+<form id="mail_other_options_form" method="post" action="/"></form>
 {%endblock%}

django/archives/mailarchives/templates/message_resend.html

@@ -17,4 +17,5 @@ <h1 class="subject">Resend - {{msg.subject}}</h1>
 
 <h4>Message to resend</h4>
 {% include '_message.html' with msg=msg lists=lists show_all=True %}
+<form id="mail_other_options_form" method="post" action="/"></form>
 {%endblock%}

django/archives/mailarchives/views.py

@@ -547,6 +547,7 @@ def message_flat(request, msgid):
     return r
 
 
+@csrf_exempt
 @nocache
 @antispam_auth
 def message_raw(request, msgid):
@@ -606,6 +607,7 @@ def _message_stream(first):
     return r
 
 
+@csrf_exempt
 @nocache
 @antispam_auth
 def message_mbox(request, msgid):
@@ -650,6 +652,7 @@ def mbox(request, listname, listname2, mboxyear, mboxmonth):
 
 
 @transaction.atomic
+@csrf_exempt
 def resend(request, messageid):
     if not settings.ALLOW_RESEND:
         raise PermissionDenied("Access denied.")

django/media/js/main.js

@@ -4,6 +4,14 @@ $(function(){
 	document.location.href = '/message-id/' + $(this).val();
     });
 
+    /* Callback for viewing protected versions */
+    $('a.post-link').click(function(e) {
+       if ($(this).data('ref')) {
+            $('#mail_other_options_form').attr('action', $(this).data('ref'));
+            $('#mail_other_options_form').submit();
+        }
+    });
+
 
     /*
      * For flat message view, redirect to the anchor of the messageid we're watching,