oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-06-27 16:36:00 +00:00
Code Wiki Activity

Protect delete_ignore_origin_rule with a CSRF token

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-18 23:57:18 +01:00
parent 264f91126e
commit 6fa61c0f9c
3 changed files with 18 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/Wallabag/CoreBundle/Controller/ConfigController.php
View file

@ -522,12 +522,16 @@ class ConfigController extends AbstractController
/**
* Deletes an ignore origin rule and redirect to the config homepage.
*
* @Route("/ignore-origin-user-rule/delete/{id}", requirements={"id" = "\d+"}, name="delete_ignore_origin_rule")
* @Route("/ignore-origin-user-rule/delete/{id}", name="delete_ignore_origin_rule", methods={"POST"}, requirements={"id" = "\d+"})
*
* @return RedirectResponse
*/
public function deleteIgnoreOriginRuleAction(IgnoreOriginUserRule $rule)
public function deleteIgnoreOriginRuleAction(Request $request, IgnoreOriginUserRule $rule)
{
if (!$this->isCsrfTokenValid('delete-ignore-origin-rule', $request->request->get('token'))) {
throw new BadRequestHttpException('Bad CSRF token.');
}
$this->validateRuleAction($rule);
$this->entityManager->remove($rule);

10
src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
View file

@ -524,9 +524,13 @@
<a href="{{ path('edit_ignore_origin_rule', {id: ignore_origin_rule.id}) }}" title="{{ 'config.form_rules.edit_rule_label'|trans }}" class="mode_edit">
<i class="tool grey-text material-icons">mode_edit</i>
</a>
<a href="{{ path('delete_ignore_origin_rule', {id: ignore_origin_rule.id}) }}" title="{{ 'config.form_rules.delete_rule_label'|trans }}" class="delete">
<i class="tool grey-text material-icons">delete</i>
</a>
<form action="{{ path('delete_ignore_origin_rule', {id: ignore_origin_rule.id}) }}" method="post" class="inline-block">
<input type="hidden" name="token" value="{{ csrf_token('delete-ignore-origin-rule') }}"/>
<button type="submit" title="{{ 'config.form_rules.delete_rule_label'|trans }}" class="btn-link">
<i class="tool grey-text material-icons">delete</i>
</button>
</form>
</li>
{% endfor %}
</ul>

10
tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
View file

@ -642,9 +642,9 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertStringContainsString('host = "example.org"', $crawler->filter('body')->extract(['_text'])[0]);
$deleteLink = $crawler->filter('div[id=set6] a.delete')->last()->link();
$form = $crawler->filter('#set6')->selectButton('delete')->form();
$crawler = $client->click($deleteLink);
$crawler = $client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$crawler = $client->followRedirect();
@ -709,11 +709,11 @@ class ConfigControllerTest extends WallabagCoreTestCase
->getRepository(IgnoreOriginUserRule::class)
->findAll()[0];
$crawler = $client->request('GET', '/ignore-origin-user-rule/edit/' . $rule->getId());
$crawler = $client->request('POST', '/ignore-origin-user-rule/delete/' . $rule->getId());
$this->assertSame(403, $client->getResponse()->getStatusCode());
$this->assertSame(400, $client->getResponse()->getStatusCode());
$this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text']));
$this->assertStringContainsString('You can not access this rule', $body[0]);
$this->assertStringContainsString('Bad CSRF token.', $body[0]);
}
public function testEditingIgnoreOriginRuleFromAnOtherUser()