diff --git a/src/Wallabag/CoreBundle/Controller/ConfigController.php b/src/Wallabag/CoreBundle/Controller/ConfigController.php
index 3b951f4a6..81bea532a 100644
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@@ -522,12 +522,16 @@ class ConfigController extends AbstractController
/**
* Deletes an ignore origin rule and redirect to the config homepage.
*
- * @Route("/ignore-origin-user-rule/delete/{id}", requirements={"id" = "\d+"}, name="delete_ignore_origin_rule")
+ * @Route("/ignore-origin-user-rule/delete/{id}", name="delete_ignore_origin_rule", methods={"POST"}, requirements={"id" = "\d+"})
*
* @return RedirectResponse
*/
- public function deleteIgnoreOriginRuleAction(IgnoreOriginUserRule $rule)
+ public function deleteIgnoreOriginRuleAction(Request $request, IgnoreOriginUserRule $rule)
{
+ if (!$this->isCsrfTokenValid('delete-ignore-origin-rule', $request->request->get('token'))) {
+ throw new BadRequestHttpException('Bad CSRF token.');
+ }
+
$this->validateRuleAction($rule);
$this->entityManager->remove($rule);
diff --git a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
index c3d94f5e5..59031054d 100644
--- a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
@@ -524,9 +524,13 @@
mode_edit
-
- delete
-
+
{% endfor %}
diff --git a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
index 74813b519..0a5a7da46 100644
--- a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
@@ -642,9 +642,9 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertStringContainsString('host = "example.org"', $crawler->filter('body')->extract(['_text'])[0]);
- $deleteLink = $crawler->filter('div[id=set6] a.delete')->last()->link();
+ $form = $crawler->filter('#set6')->selectButton('delete')->form();
- $crawler = $client->click($deleteLink);
+ $crawler = $client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$crawler = $client->followRedirect();
@@ -709,11 +709,11 @@ class ConfigControllerTest extends WallabagCoreTestCase
->getRepository(IgnoreOriginUserRule::class)
->findAll()[0];
- $crawler = $client->request('GET', '/ignore-origin-user-rule/edit/' . $rule->getId());
+ $crawler = $client->request('POST', '/ignore-origin-user-rule/delete/' . $rule->getId());
- $this->assertSame(403, $client->getResponse()->getStatusCode());
+ $this->assertSame(400, $client->getResponse()->getStatusCode());
$this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text']));
- $this->assertStringContainsString('You can not access this rule', $body[0]);
+ $this->assertStringContainsString('Bad CSRF token.', $body[0]);
}
public function testEditingIgnoreOriginRuleFromAnOtherUser()