mirror of
https://github.com/wallabag/wallabag.git
synced 2024-12-23 08:06:33 +00:00
Replace GET way to POST way to delete API client
This commit is contained in:
parent
f4fd8e4675
commit
c3d1f92278
3 changed files with 15 additions and 12 deletions
|
@ -69,12 +69,17 @@ class DeveloperController extends AbstractController
|
|||
/**
|
||||
* Remove a client.
|
||||
*
|
||||
* @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client")
|
||||
* @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client", methods={"POST"})
|
||||
*
|
||||
* @return RedirectResponse
|
||||
*/
|
||||
public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
|
||||
public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
|
||||
{
|
||||
|
||||
if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) {
|
||||
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||
}
|
||||
|
||||
if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) {
|
||||
throw $this->createAccessDeniedException('You can not access this client.');
|
||||
}
|
||||
|
|
|
@ -57,9 +57,11 @@
|
|||
|
||||
<p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p>
|
||||
<p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p>
|
||||
<p>
|
||||
<a class="waves-effect waves-light red btn" href="{{ path('developer_delete_client', {'id': client.id}) }}">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</a>
|
||||
</p>
|
||||
<form action="{{ path('developer_delete_client', { id: client.id }) }}" method="post" name="delete-client">
|
||||
<input type="hidden" name="token" value="{{ csrf_token('delete-client') }}" />
|
||||
|
||||
<button class="waves-effect waves-light btn red" type="submit">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</button>
|
||||
</form>
|
||||
</div>
|
||||
</li>
|
||||
{% endfor %}
|
||||
|
|
|
@ -104,20 +104,16 @@ class DeveloperControllerTest extends WallabagCoreTestCase
|
|||
$this->assertStringContainsString('no_client', $client->getResponse()->getContent());
|
||||
|
||||
$this->logInAs('bob');
|
||||
$client->request('GET', '/developer/client/delete/' . $adminApiClient->getId());
|
||||
$client->request('POST', '/developer/client/delete/' . $adminApiClient->getId());
|
||||
$this->assertSame(403, $client->getResponse()->getStatusCode());
|
||||
|
||||
// Try to remove the admin's client with the good user
|
||||
$this->logInAs('admin');
|
||||
$crawler = $client->request('GET', '/developer');
|
||||
|
||||
$link = $crawler
|
||||
->filter('div[class=collapsible-body] p a')
|
||||
->eq(0)
|
||||
->link()
|
||||
;
|
||||
$form = $crawler->filter('form[name=delete-client]')->form();
|
||||
|
||||
$client->click($link);
|
||||
$client->submit($form);
|
||||
$this->assertSame(302, $client->getResponse()->getStatusCode());
|
||||
|
||||
$this->assertNull(
|
||||
|
|
Loading…
Reference in a new issue