ulfa
commented
10 years ago Yes, you are right. CSRF is not enabled yet. I will do it in a later version.
The real authentication is done by the apache web server in front of iCook. iCook does authorization.
The Form should be protected against CSRF. From a glance at the Code I am also not convinced that "eater-id" is checked against the actual authentication, but I may be missing an "intereceptor" concept as I have now idea of erlang.