mirrors/wallabag
1
0
Fork 0
mirror of https://github.com/wallabag/wallabag.git synced 2025-01-11 01:15:26 +00:00
Code Issues Projects Releases Wiki Activity

Replace GET way to POST way to delete API client

Browse source
This commit is contained in:
Nicolas Lœuillet 2023-07-29 10:31:51 +02:00 committed by Kevin Decherf
parent f4fd8e4675
commit c3d1f92278
3 changed files with 15 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/Wallabag/ApiBundle/Controller/DeveloperController.php
View file

@ -69,12 +69,17 @@ class DeveloperController extends AbstractController
/** /**
* Remove a client. * Remove a client.
* *
* @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client") * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client", methods={"POST"})
* *
* @return RedirectResponse * @return RedirectResponse
*/ */
public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
{ {
if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.');
}
if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) { if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) {
throw $this->createAccessDeniedException('You can not access this client.'); throw $this->createAccessDeniedException('You can not access this client.');
} }

8
src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig
View file

@ -57,9 +57,11 @@
<p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p> <p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p>
<p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p> <p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p>
<p> <form action="{{ path('developer_delete_client', { id: client.id }) }}" method="post" name="delete-client">
<a class="waves-effect waves-light red btn" href="{{ path('developer_delete_client', {'id': client.id}) }}">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</a> <input type="hidden" name="token" value="{{ csrf_token('delete-client') }}" />
</p>
<button class="waves-effect waves-light btn red" type="submit">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</button>
</form>
</div> </div>
</li> </li>
{% endfor %} {% endfor %}

10
tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php
View file

@ -104,20 +104,16 @@ class DeveloperControllerTest extends WallabagCoreTestCase
$this->assertStringContainsString('no_client', $client->getResponse()->getContent()); $this->assertStringContainsString('no_client', $client->getResponse()->getContent());
$this->logInAs('bob'); $this->logInAs('bob');
$client->request('GET', '/developer/client/delete/' . $adminApiClient->getId()); $client->request('POST', '/developer/client/delete/' . $adminApiClient->getId());
$this->assertSame(403, $client->getResponse()->getStatusCode()); $this->assertSame(403, $client->getResponse()->getStatusCode());
// Try to remove the admin's client with the good user // Try to remove the admin's client with the good user
$this->logInAs('admin'); $this->logInAs('admin');
$crawler = $client->request('GET', '/developer'); $crawler = $client->request('GET', '/developer');
$link = $crawler $form = $crawler->filter('form[name=delete-client]')->form();
->filter('div[class=collapsible-body] p a')
->eq(0)
->link()
;
$client->click($link); $client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode()); $this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertNull( $this->assertNull(