oss/wallabag
oss/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-09-15 18:57:05 +00:00
Code Wiki Activity

Fix CSRF on user deletion

Browse source
This commit is contained in:
Jeremy Benoist 2023-02-07 20:29:42 +01:00
parent 784bc1393c
commit f1b3d5cdd7
No known key found for this signature in database
GPG key ID: 7168D5DD29F38552
3 changed files with 14 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/Wallabag/CoreBundle/Controller/ConfigController.php
View file

@ -586,7 +586,7 @@ class ConfigController extends Controller
/**
* Delete account for current user.
*
* @Route("/account/delete", name="delete_account")
* @Route("/account/delete", name="delete_account", methods={"POST"})
*
* @throws AccessDeniedHttpException
*
@ -594,6 +594,10 @@ class ConfigController extends Controller
*/
public function deleteAccountAction(Request $request)
{
if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.');
}
$enabledUsers = $this->get('wallabag_user.user_repository')
->getSumEnabledUsers();