From a9893d754ffac8b37cfd5f11485a730f5e862509 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= <nicolas.loeuillet@prestashop.com>
Date: Sat, 29 Jul 2023 10:44:10 +0200
Subject: [PATCH] Replace GET way to POST way to reset data user

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
---
 .../Controller/ConfigController.php           |  8 +++-
 .../Resources/views/Config/index.html.twig    | 40 +++++++++++++------
 .../Controller/ConfigControllerTest.php       | 15 ++++---
 3 files changed, 44 insertions(+), 19 deletions(-)

diff --git a/src/Wallabag/CoreBundle/Controller/ConfigController.php b/src/Wallabag/CoreBundle/Controller/ConfigController.php
index 9adc4c29b..a69ce37e3 100644
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@@ -523,12 +523,16 @@ class ConfigController extends AbstractController
     /**
      * Remove all annotations OR tags OR entries for the current user.
      *
-     * @Route("/reset/{type}", requirements={"id" = "annotations|tags|entries"}, name="config_reset")
+     * @Route("/reset/{type}", requirements={"id" = "annotations|tags|entries"}, name="config_reset", methods={"POST"})
      *
      * @return RedirectResponse
      */
-    public function resetAction(string $type, AnnotationRepository $annotationRepository, EntryRepository $entryRepository)
+    public function resetAction(Request $request, string $type, AnnotationRepository $annotationRepository, EntryRepository $entryRepository)
     {
+        if (!$this->isCsrfTokenValid('reset-area', $request->request->get('token'))) {
+            throw $this->createAccessDeniedException('Bad CSRF token.');
+        }
+
         switch ($type) {
             case 'annotations':
                 $annotationRepository->removeAllByUserId($this->getUser()->getId());
diff --git a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
index 8681b20c2..30c39294f 100644
--- a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
@@ -552,18 +552,34 @@
                         <div class="row">
                             <h5>{{ 'config.reset.title'|trans }}</h5>
                             <p>{{ 'config.reset.description'|trans }}</p>
-                            <a href="{{ path('config_reset', {type: 'annotations'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                                {{ 'config.reset.annotations'|trans }}
-                            </a>
-                            <a href="{{ path('config_reset', {type: 'tags'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                                {{ 'config.reset.tags'|trans }}
-                            </a>
-                            <a href="{{ path('config_reset', {type: 'archived'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                                {{ 'config.reset.archived'|trans }}
-                            </a>
-                            <a href="{{ path('config_reset', {type: 'entries'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                                {{ 'config.reset.entries'|trans }}
-                            </a>
+                            <p>
+                                <form action="{{ path('config_reset', { type: 'annotations' }) }}" method="post" onsubmit="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" name="reset-annotations">
+                                    <input type="hidden" name="token" value="{{ csrf_token('reset-area') }}" />
+
+                                    <button class="waves-effect waves-light btn red" type="submit">{{ 'config.reset.annotations'|trans }}</button>
+                                </form>
+                            </p>
+                            <p>
+                                <form action="{{ path('config_reset', { type: 'tags' }) }}" method="post" onsubmit="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" name="reset-tags">
+                                    <input type="hidden" name="token" value="{{ csrf_token('reset-area') }}" />
+
+                                    <button class="waves-effect waves-light btn red" type="submit">{{ 'config.reset.tags'|trans }}</button>
+                                </form>
+                            </p>
+                            <p>
+                                <form action="{{ path('config_reset', { type: 'archived' }) }}" method="post" onsubmit="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" name="reset-archived">
+                                    <input type="hidden" name="token" value="{{ csrf_token('reset-area') }}" />
+
+                                    <button class="waves-effect waves-light btn red" type="submit">{{ 'config.reset.archived'|trans }}</button>
+                                </form>
+                            </p>
+                            <p>
+                                <form action="{{ path('config_reset', { type: 'entries' }) }}" method="post" onsubmit="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" name="reset-entries">
+                                    <input type="hidden" name="token" value="{{ csrf_token('reset-area') }}" />
+
+                                    <button class="waves-effect waves-light btn red" type="submit">{{ 'config.reset.entries'|trans }}</button>
+                                </form>
+                            </p>
                         </div>
 
                         {% if enabled_users > 1 %}
diff --git a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
index 03a7485df..9174daf85 100644
--- a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
@@ -929,7 +929,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
 
         $this->assertSame(200, $client->getResponse()->getStatusCode());
 
-        $crawler = $client->click($crawler->selectLink('config.reset.annotations')->link());
+        $form = $crawler->filter('form[name=reset-annotations]')->form();
+        $client->submit($form);
 
         $this->assertSame(302, $client->getResponse()->getStatusCode());
         $this->assertStringContainsString('flashes.config.notice.annotations_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
@@ -945,7 +946,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
 
         $this->assertSame(200, $client->getResponse()->getStatusCode());
 
-        $crawler = $client->click($crawler->selectLink('config.reset.tags')->link());
+        $form = $crawler->filter('form[name=reset-tags]')->form();
+        $client->submit($form);
 
         $this->assertSame(302, $client->getResponse()->getStatusCode());
         $this->assertStringContainsString('flashes.config.notice.tags_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
@@ -961,7 +963,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
 
         $this->assertSame(200, $client->getResponse()->getStatusCode());
 
-        $crawler = $client->click($crawler->selectLink('config.reset.entries')->link());
+        $form = $crawler->filter('form[name=reset-entries]')->form();
+        $client->submit($form);
 
         $this->assertSame(302, $client->getResponse()->getStatusCode());
         $this->assertStringContainsString('flashes.config.notice.entries_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
@@ -1027,7 +1030,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
 
         $this->assertSame(200, $client->getResponse()->getStatusCode());
 
-        $crawler = $client->click($crawler->selectLink('config.reset.archived')->link());
+        $form = $crawler->filter('form[name=reset-archived]')->form();
+        $client->submit($form);
 
         $this->assertSame(302, $client->getResponse()->getStatusCode());
         $this->assertStringContainsString('flashes.config.notice.archived_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
@@ -1086,7 +1090,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
 
         $this->assertSame(200, $client->getResponse()->getStatusCode());
 
-        $crawler = $client->click($crawler->selectLink('config.reset.entries')->link());
+        $form = $crawler->filter('form[name=reset-entries]')->form();
+        $client->submit($form);
 
         $this->assertSame(302, $client->getResponse()->getStatusCode());
         $this->assertStringContainsString('flashes.config.notice.entries_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);