Replace GET way to POST way to delete API client

2025-09-15 18:57:05 +00:00 · 2023-07-29 10:31:51 +02:00 · 2023-07-29 10:31:51 +02:00 · c3d1f92278
commit c3d1f92278
parent f4fd8e4675
3 changed files with 15 additions and 12 deletions
--- a/src/Wallabag/ApiBundle/Controller/DeveloperController.php
+++ b/src/Wallabag/ApiBundle/Controller/DeveloperController.php
@ -69,12 +69,17 @@ class DeveloperController extends AbstractController
    /**
     * Remove a client.
     *
-     * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client")
+     * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client", methods={"POST"})
     *
     * @return RedirectResponse
     */
-    public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
+    public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
    {
+
+        if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) {
+            throw $this->createAccessDeniedException('Bad CSRF token.');
+        }
+
        if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) {
            throw $this->createAccessDeniedException('You can not access this client.');
        }
--- a/src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig
@ -57,9 +57,11 @@

                                    <p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p>
                                    <p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p>
-                                    <p>
-                                        <a class="waves-effect waves-light red btn" href="{{ path('developer_delete_client', {'id': client.id}) }}">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</a>
-                                    </p>
+                                    <form action="{{ path('developer_delete_client', { id: client.id }) }}" method="post" name="delete-client">
+                                        <input type="hidden" name="token" value="{{ csrf_token('delete-client') }}" />
+
+                                        <button class="waves-effect waves-light btn red" type="submit">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</button>
+                                    </form>
                                </div>
                            </li>
                        {% endfor %}