Merge pull request #6289 from wallabag/2.5/fix-csrf-user-deletion

Fix CSRF on user deletion
2023-02-07 21:52:51 +01:00
parent 4e023bddc3 f1b3d5cdd7
commit 268372dbbd
3 changed files with 14 additions and 8 deletions
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@ -586,7 +586,7 @@ class ConfigController extends Controller
    /**
     * Delete account for current user.
     *
-     * @Route("/account/delete", name="delete_account")
+     * @Route("/account/delete", name="delete_account", methods={"POST"})
     *
     * @throws AccessDeniedHttpException
     *
@ -594,6 +594,10 @@ class ConfigController extends Controller
     */
    public function deleteAccountAction(Request $request)
    {
+        if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) {
+            throw $this->createAccessDeniedException('Bad CSRF token.');
+        }
+
        $enabledUsers = $this->get('wallabag_user.user_repository')
            ->getSumEnabledUsers();