mirror of
https://github.com/wallabag/wallabag.git
synced 2025-01-25 16:18:08 +00:00
Replace GET way to POST way to delete API client
This commit is contained in:
parent
f4fd8e4675
commit
c3d1f92278
3 changed files with 15 additions and 12 deletions
|
@ -69,12 +69,17 @@ class DeveloperController extends AbstractController
|
||||||
/**
|
/**
|
||||||
* Remove a client.
|
* Remove a client.
|
||||||
*
|
*
|
||||||
* @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client")
|
* @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client", methods={"POST"})
|
||||||
*
|
*
|
||||||
* @return RedirectResponse
|
* @return RedirectResponse
|
||||||
*/
|
*/
|
||||||
public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
|
public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) {
|
||||||
|
throw $this->createAccessDeniedException('Bad CSRF token.');
|
||||||
|
}
|
||||||
|
|
||||||
if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) {
|
if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) {
|
||||||
throw $this->createAccessDeniedException('You can not access this client.');
|
throw $this->createAccessDeniedException('You can not access this client.');
|
||||||
}
|
}
|
||||||
|
|
|
@ -57,9 +57,11 @@
|
||||||
|
|
||||||
<p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p>
|
<p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p>
|
||||||
<p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p>
|
<p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p>
|
||||||
<p>
|
<form action="{{ path('developer_delete_client', { id: client.id }) }}" method="post" name="delete-client">
|
||||||
<a class="waves-effect waves-light red btn" href="{{ path('developer_delete_client', {'id': client.id}) }}">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</a>
|
<input type="hidden" name="token" value="{{ csrf_token('delete-client') }}" />
|
||||||
</p>
|
|
||||||
|
<button class="waves-effect waves-light btn red" type="submit">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</button>
|
||||||
|
</form>
|
||||||
</div>
|
</div>
|
||||||
</li>
|
</li>
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
@ -104,20 +104,16 @@ class DeveloperControllerTest extends WallabagCoreTestCase
|
||||||
$this->assertStringContainsString('no_client', $client->getResponse()->getContent());
|
$this->assertStringContainsString('no_client', $client->getResponse()->getContent());
|
||||||
|
|
||||||
$this->logInAs('bob');
|
$this->logInAs('bob');
|
||||||
$client->request('GET', '/developer/client/delete/' . $adminApiClient->getId());
|
$client->request('POST', '/developer/client/delete/' . $adminApiClient->getId());
|
||||||
$this->assertSame(403, $client->getResponse()->getStatusCode());
|
$this->assertSame(403, $client->getResponse()->getStatusCode());
|
||||||
|
|
||||||
// Try to remove the admin's client with the good user
|
// Try to remove the admin's client with the good user
|
||||||
$this->logInAs('admin');
|
$this->logInAs('admin');
|
||||||
$crawler = $client->request('GET', '/developer');
|
$crawler = $client->request('GET', '/developer');
|
||||||
|
|
||||||
$link = $crawler
|
$form = $crawler->filter('form[name=delete-client]')->form();
|
||||||
->filter('div[class=collapsible-body] p a')
|
|
||||||
->eq(0)
|
|
||||||
->link()
|
|
||||||
;
|
|
||||||
|
|
||||||
$client->click($link);
|
$client->submit($form);
|
||||||
$this->assertSame(302, $client->getResponse()->getStatusCode());
|
$this->assertSame(302, $client->getResponse()->getStatusCode());
|
||||||
|
|
||||||
$this->assertNull(
|
$this->assertNull(
|
||||||
|
|
Loading…
Reference in a new issue