oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-08-06 17:41:01 +00:00
Code Wiki Activity

Protect delete_share with a CSRF token

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-23 13:13:11 +01:00
parent 0d8429dfc7
commit d1e128900a
3 changed files with 22 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/Wallabag/CoreBundle/Controller/EntryController.php
View file

@ -570,12 +570,16 @@ class EntryController extends AbstractController
/** /**
* Disable public sharing for an entry. * Disable public sharing for an entry.
* *
* @Route("/share/delete/{id}", requirements={"id" = "\d+"}, name="delete_share") * @Route("/share/delete/{id}", name="delete_share", methods={"POST"}, requirements={"id" = "\d+"})
* *
* @return Response * @return Response
*/ */
public function deleteShareAction(Entry $entry) public function deleteShareAction(Request $request, Entry $entry)
{ {
if (!$this->isCsrfTokenValid('delete-share', $request->request->get('token'))) {
throw new BadRequestHttpException('Bad CSRF token.');
}
$this->checkUserAction($entry); $this->checkUserAction($entry);
$entry->cleanUid(); $entry->cleanUid();

8
src/Wallabag/CoreBundle/Resources/views/Entry/entry.html.twig
View file

@ -168,9 +168,13 @@
</form> </form>
</li> </li>
<li> <li>
<a href="{{ path('delete_share', {'id': entry.id}) }}" title="{{ 'entry.view.left_menu.delete_public_link'|trans }}" class="tool icon-no-eye"> <form action="{{ path('delete_share', {'id': entry.id}) }}" method="post">
<input type="hidden" name="token" value="{{ csrf_token('delete-share') }}"/>
<button type="submit" class="btn-link tool icon-no-eye" title="{{ 'entry.view.left_menu.delete_public_link'|trans }}">
<span>{{ 'entry.view.left_menu.delete_public_link'|trans }}</span> <span>{{ 'entry.view.left_menu.delete_public_link'|trans }}</span>
</a> </button>
</form>
</li> </li>
{% endif %} {% endif %}
{% if craue_setting('share_twitter') %} {% if craue_setting('share_twitter') %}

11
tests/Wallabag/CoreBundle/Controller/EntryControllerTest.php
View file

@ -1185,12 +1185,19 @@ class EntryControllerTest extends WallabagCoreTestCase
$this->assertSame(404, $client->getResponse()->getStatusCode()); $this->assertSame(404, $client->getResponse()->getStatusCode());
// removing the share // removing the share
$client->request('GET', '/share/delete/' . $content->getId()); $client->getContainer()->get(Config::class)->set('share_public', 1);
$this->logInAs('admin');
$crawler = $client->request('GET', '/view/' . $content->getId());
$client->submit($crawler->filter('.left-bar')->selectButton('entry.view.left_menu.delete_public_link')->form());
$this->assertSame(302, $client->getResponse()->getStatusCode()); $this->assertSame(302, $client->getResponse()->getStatusCode());
// share is now disable // share is now removed
$client->request('GET', '/share/' . $content->getUid()); $client->request('GET', '/share/' . $content->getUid());
$this->assertSame(404, $client->getResponse()->getStatusCode()); $this->assertSame(404, $client->getResponse()->getStatusCode());
$client->getContainer()->get(Config::class)->set('share_public', 0);
} }
/** /**