Merge pull request from GHSA-gjvc-55fw-v6vq

Replace GET way to POST way to delete API client
This commit is contained in:
Nicolas Lœuillet 2023-08-21 11:08:47 +02:00 committed by GitHub
commit ffcc5c9062
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 12 deletions

View file

@ -69,12 +69,17 @@ class DeveloperController extends AbstractController
/**
* Remove a client.
*
* @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client")
* @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client", methods={"POST"})
*
* @return RedirectResponse
*/
public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator)
{
if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.');
}
if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) {
throw $this->createAccessDeniedException('You can not access this client.');
}

View file

@ -57,9 +57,11 @@
<p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p>
<p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p>
<p>
<a class="waves-effect waves-light red btn" href="{{ path('developer_delete_client', {'id': client.id}) }}">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</a>
</p>
<form action="{{ path('developer_delete_client', { id: client.id }) }}" method="post" name="delete-client">
<input type="hidden" name="token" value="{{ csrf_token('delete-client') }}" />
<button class="waves-effect waves-light btn red" type="submit">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</button>
</form>
</div>
</li>
{% endfor %}

View file

@ -104,20 +104,16 @@ class DeveloperControllerTest extends WallabagCoreTestCase
$this->assertStringContainsString('no_client', $client->getResponse()->getContent());
$this->logInAs('bob');
$client->request('GET', '/developer/client/delete/' . $adminApiClient->getId());
$client->request('POST', '/developer/client/delete/' . $adminApiClient->getId());
$this->assertSame(403, $client->getResponse()->getStatusCode());
// Try to remove the admin's client with the good user
$this->logInAs('admin');
$crawler = $client->request('GET', '/developer');
$link = $crawler
->filter('div[class=collapsible-body] p a')
->eq(0)
->link()
;
$form = $crawler->filter('form[name=delete-client]')->form();
$client->click($link);
$client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertNull(