From b57ba0fb6fc50a19398e161d1e24f2a44ff745f1 Mon Sep 17 00:00:00 2001
From: cproudlock <cproudlock@localhost>
Date: Sun, 24 May 2026 07:04:20 -0400
Subject: [PATCH] webapp: add CSRF token to imaging Clear-all form

The dashboard Clear-all button posts to /imaging/delete-all but the form
was missing the hidden _csrf_token input that the rest of the webapp's
POST forms include, so the endpoint would reject the request when CSRF
enforcement is active.
---
 webapp/templates/imaging.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webapp/templates/imaging.html b/webapp/templates/imaging.html
index a72576b..c738a8c 100644
--- a/webapp/templates/imaging.html
+++ b/webapp/templates/imaging.html
@@ -29,6 +29,7 @@ window.addEventListener('DOMContentLoaded', scheduleImagingReload);
     <form method="post" action="{{ url_for('imaging_delete_all') }}"
           onsubmit="return confirm('Clear all {{ sessions|length }} imaging session(s)? This wipes every tile from the dashboard. Live re-images will repopulate on next status push.');"
           style="display:inline;">
+      <input type="hidden" name="_csrf_token" value="{{ csrf_token() }}">
       <button type="submit" class="btn btn-sm btn-outline-danger">Clear all</button>
     </form>
     {% endif %}