Csrf in watch-unwatch projects

Hello, When you visit any projects from `https://hosted.weblate.org/` , there is a button provided on top-right called `Watch` / `Unwatch` for each projects. when you click on that button, a POST request is sent which contains csrf token. But this request also works without that token. Just hit the urls in your browser and you will be able to `Watch` or `Unwatch` the projects `https://hosted.weblate.org/accounts/watch/androbd/` https://hosted.weblate.org/accounts/unwatch/androbd/ where androbd is a project name! Regrads Ashish