oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-08-06 17:41:01 +00:00
Code Wiki Activity

Protect generate_token with a CSRF token

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-18 23:38:48 +01:00
parent f71d8332e0
commit d703fa6a3a
4 changed files with 72 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/Wallabag/CoreBundle/Controller/ConfigController.php
View file

@ -16,6 +16,7 @@ use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Validator\Constraints\Locale as LocaleConstraint;
@ -429,22 +430,22 @@ class ConfigController extends AbstractController
}
/**
* @Route("/generate-token", name="generate_token")
* @Route("/generate-token", name="generate_token", methods={"POST"})
*
* @return RedirectResponse|JsonResponse
*/
public function generateTokenAction(Request $request)
{
if (!$this->isCsrfTokenValid('generate-token', $request->request->get('token'))) {
throw new BadRequestHttpException('Bad CSRF token.');
}
$config = $this->getConfig();
$config->setFeedToken(Utils::generateToken());
$this->entityManager->persist($config);
$this->entityManager->flush();
if ($request->isXmlHttpRequest()) {
return new JsonResponse(['token' => $config->getFeedToken()]);
}
$this->addFlash(
'notice',
'flashes.config.notice.feed_token_updated'