oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-06-27 16:36:00 +00:00
Code Wiki Activity

Protect remove_tag with a CSRF token

Browse source
This commit is contained in:
Yassine Guedidi 2025-03-23 13:46:38 +01:00
parent d1e128900a
commit ddf2e80842
4 changed files with 19 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

7
tests/Wallabag/CoreBundle/Controller/EntryControllerTest.php
View file

@ -1694,7 +1694,7 @@ class EntryControllerTest extends WallabagCoreTestCase
$this->assertSame('example.com', $content->getDomainName());
}
public function testEntryDeleteTagLink()
public function testEntryDeleteTagForm()
{
$this->logInAs('admin');
$client = $this->getTestClient();
@ -1705,10 +1705,7 @@ class EntryControllerTest extends WallabagCoreTestCase
$crawler = $client->request('GET', '/view/' . $entry->getId());
// As long as the deletion link of a tag is following
// a link to the tag view, we take the second one to retrieve
// the deletion link of the first tag
$link = $crawler->filter('body div#article div.tools ul.tags li.chip a')->extract(['href'])[1];
$link = $crawler->filter('body div#article div.tools ul.tags li.chip form')->extract(['action'])[0];
$this->assertStringStartsWith(sprintf('/remove-tag/%s/%s', $entry->getId(), $tag->getId()), $link);
}

9
tests/Wallabag/CoreBundle/Controller/TagControllerTest.php
View file

@ -126,8 +126,8 @@ class TagControllerTest extends WallabagCoreTestCase
$crawler = $client->request('GET', '/view/' . $entry->getId());
$entryUri = $client->getRequest()->getRequestUri();
$link = $crawler->filter('a[href^="/remove-tag/' . $entry->getId() . '/' . $tag->getId() . '"]')->link();
$client->click($link);
$form = $crawler->filter('form[action^="/remove-tag/' . $entry->getId() . '/' . $tag->getId() . '"]')->form();
$client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertSame($entryUri, $client->getResponse()->getTargetUrl());
@ -136,9 +136,8 @@ class TagControllerTest extends WallabagCoreTestCase
$entry = $this->getEntityManager()->getRepository(Entry::class)->find($entry->getId());
$this->assertNotContains($this->tagName, $entry->getTagsLabel());
$client->request('GET', '/remove-tag/' . $entry->getId() . '/' . $tag->getId());
$this->assertSame(404, $client->getResponse()->getStatusCode());
$client->request('GET', '/view/' . $entry->getId());
$this->assertStringNotContainsString('/remove-tag/' . $entry->getId() . '/' . $tag->getId(), $client->getResponse()->getContent());
$tag = $client->getContainer()
->get(EntityManagerInterface::class)