forked from wallabag/wallabag
Protect delete_tagging_rule with a CSRF token
This commit is contained in:
Yassine Guedidi
@ -482,12 +482,16 @@ class ConfigController extends AbstractController
|
||||
/**
|
||||
* Deletes a tagging rule and redirect to the config homepage.
|
||||
*
|
||||
* @Route("/tagging-rule/delete/{id}", requirements={"id" = "\d+"}, name="delete_tagging_rule")
|
||||
* @Route("/tagging-rule/delete/{id}", name="delete_tagging_rule", methods={"POST"}, requirements={"id" = "\d+"})
|
||||
*
|
||||
* @return RedirectResponse
|
||||
*/
|
||||
public function deleteTaggingRuleAction(TaggingRule $rule)
|
||||
public function deleteTaggingRuleAction(Request $request, TaggingRule $rule)
|
||||
{
|
||||
if (!$this->isCsrfTokenValid('delete-tagging-rule', $request->request->get('token'))) {
|
||||
throw new BadRequestHttpException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
$this->validateRuleAction($rule);
|
||||
|
||||
$this->entityManager->remove($rule);
|
||||
|
||||
@ -340,9 +340,13 @@
|
||||
<a href="{{ path('edit_tagging_rule', {id: tagging_rule.id}) }}" title="{{ 'config.form_rules.edit_rule_label'|trans }}" class="mode_edit_tagging_rule">
|
||||
<i class="tool grey-text material-icons">mode_edit</i>
|
||||
</a>
|
||||
<a href="{{ path('delete_tagging_rule', {id: tagging_rule.id}) }}" title="{{ 'config.form_rules.delete_rule_label'|trans }}" class="delete_tagging_rule">
|
||||
<i class="tool grey-text material-icons">delete</i>
|
||||
</a>
|
||||
<form action="{{ path('delete_tagging_rule', {id: tagging_rule.id}) }}" method="post" class="inline-block">
|
||||
<input type="hidden" name="token" value="{{ csrf_token('delete-tagging-rule') }}"/>
|
||||
|
||||
<button type="submit" title="{{ 'config.form_rules.delete_rule_label'|trans }}" class="btn-link">
|
||||
<i class="tool grey-text material-icons">delete</i>
|
||||
</button>
|
||||
</form>
|
||||
</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
|
||||
Reference in New Issue
Block a user