Protect delete_share with a CSRF token

src/Wallabag/CoreBundle/Controller/EntryController.php

@@ -570,12 +570,16 @@ class EntryController extends AbstractController
     /**
      * Disable public sharing for an entry.
      *
-     * @Route("/share/delete/{id}", requirements={"id" = "\d+"}, name="delete_share")
+     * @Route("/share/delete/{id}", name="delete_share", methods={"POST"}, requirements={"id" = "\d+"})
      *
      * @return Response
      */
-    public function deleteShareAction(Entry $entry)
+    public function deleteShareAction(Request $request, Entry $entry)
     {
+        if (!$this->isCsrfTokenValid('delete-share', $request->request->get('token'))) {
+            throw new BadRequestHttpException('Bad CSRF token.');
+        }
+
         $this->checkUserAction($entry);
 
         $entry->cleanUid();

src/Wallabag/CoreBundle/Resources/views/Entry/entry.html.twig

@@ -168,9 +168,13 @@
                             </form>
                         </li>
                         <li>
-                            <a href="{{ path('delete_share', {'id': entry.id}) }}" title="{{ 'entry.view.left_menu.delete_public_link'|trans }}" class="tool icon-no-eye">
-                                <span>{{ 'entry.view.left_menu.delete_public_link'|trans }}</span>
-                            </a>
+                            <form action="{{ path('delete_share', {'id': entry.id}) }}" method="post">
+                                <input type="hidden" name="token" value="{{ csrf_token('delete-share') }}"/>
+
+                                <button type="submit" class="btn-link tool icon-no-eye" title="{{ 'entry.view.left_menu.delete_public_link'|trans }}">
+                                    <span>{{ 'entry.view.left_menu.delete_public_link'|trans }}</span>
+                                </button>
+                            </form>
                         </li>
                     {% endif %}
                     {% if craue_setting('share_twitter') %}