diff --git a/src/Wallabag/ApiBundle/Controller/DeveloperController.php b/src/Wallabag/ApiBundle/Controller/DeveloperController.php index 3fdf55d0a..90f4d7529 100644 --- a/src/Wallabag/ApiBundle/Controller/DeveloperController.php +++ b/src/Wallabag/ApiBundle/Controller/DeveloperController.php @@ -69,12 +69,17 @@ class DeveloperController extends AbstractController /** * Remove a client. * - * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client") + * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client", methods={"POST"}) * * @return RedirectResponse */ - public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) + public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) { + + if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) { + throw $this->createAccessDeniedException('Bad CSRF token.'); + } + if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) { throw $this->createAccessDeniedException('You can not access this client.'); } diff --git a/src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig b/src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig index 2093227d0..ff2d1b8c7 100644 --- a/src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig +++ b/src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig @@ -57,9 +57,11 @@

{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}

{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}

-

- {{ 'developer.remove.action'|trans({'%name%': client.name}) }} -

+
+ + + +
{% endfor %} diff --git a/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php b/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php index 27354e155..35573809a 100644 --- a/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php +++ b/tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php @@ -104,20 +104,16 @@ class DeveloperControllerTest extends WallabagCoreTestCase $this->assertStringContainsString('no_client', $client->getResponse()->getContent()); $this->logInAs('bob'); - $client->request('GET', '/developer/client/delete/' . $adminApiClient->getId()); + $client->request('POST', '/developer/client/delete/' . $adminApiClient->getId()); $this->assertSame(403, $client->getResponse()->getStatusCode()); // Try to remove the admin's client with the good user $this->logInAs('admin'); $crawler = $client->request('GET', '/developer'); - $link = $crawler - ->filter('div[class=collapsible-body] p a') - ->eq(0) - ->link() - ; + $form = $crawler->filter('form[name=delete-client]')->form(); - $client->click($link); + $client->submit($form); $this->assertSame(302, $client->getResponse()->getStatusCode()); $this->assertNull(