mirror of
https://git.joinplu.me/Plume/Plume.git
synced 2024-11-29 06:51:01 +00:00
d8ca1d70b7
GET routes are not protected against CSRF. This commit changes the needed URLs to POST and replace simple links with forms. Thanks @fdb-hiroshima for noticing it!
34 lines
1.1 KiB
Text
34 lines
1.1 KiB
Text
{% extends "base" %}
|
|
|
|
{% block title %}
|
|
{{ "Edit your account" | _ }}
|
|
{% endblock title %}
|
|
|
|
{% block content %}
|
|
<h1>{{ "Your Profile" | _ }}</h1>
|
|
<form method="post">
|
|
<!-- Rocket hack to use various HTTP methods -->
|
|
<input type=hidden name="_method" value="put">
|
|
|
|
<label for="display_name">{{ "Display Name" | _ }}</label>
|
|
<input name="display_name" value="{{ account.display_name }}">
|
|
|
|
<label for="email">{{ "Email" | _ }}</label>
|
|
<input name="email" value="{{ account.email }}">
|
|
|
|
<label for="summary">{{ "Summary" | _ }}</label>
|
|
<input name="summary" value="{{ account.summary }}">
|
|
|
|
<input type="submit" value="{{ "Update account" | _ }}"/>
|
|
</form>
|
|
|
|
<h2>{{ "Danger zone" | _ }}</h2>
|
|
<p>{{ "Be very careful, any action taken here can't be cancelled." | _ }}
|
|
{% if not account.is_admin %}
|
|
<form method="post" action="/@/{{ account.fqn }}/delete">
|
|
<input type="submit" class="inline-block button destructive" value="{{ 'Delete your account' | _ }}">
|
|
</form>
|
|
{% else %}
|
|
<p>{{ "Sorry, but as an admin, you can't leave your instance." | _ }}</p>
|
|
{% endif %}
|
|
{% endblock content %}
|