Skip to content

Commit

Permalink
Merge pull request #4996 from devansh-webkul/vul-issue
Browse files Browse the repository at this point in the history
Missing CSRF added to three routes
  • Loading branch information
ghermans committed Jul 6, 2021
2 parents 4cb9c1c + b35dff5 commit 265aa14
Show file tree
Hide file tree
Showing 19 changed files with 164 additions and 40 deletions.
6 changes: 3 additions & 3 deletions packages/Webkul/Shop/src/Http/routes.php
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@
Route::get('addresses/default/{id}', 'Webkul\Customer\Http\Controllers\AddressController@makeDefault')->name('make.default.address');

//Customer Address Delete
Route::get('addresses/delete/{id}', 'Webkul\Customer\Http\Controllers\AddressController@destroy')->name('address.delete');
Route::delete('addresses/delete/{id}', 'Webkul\Customer\Http\Controllers\AddressController@destroy')->name('address.delete');

/* Wishlist route */
//Customer wishlist(listing)
Expand Down Expand Up @@ -281,7 +281,7 @@
'view' => 'shop::customers.account.orders.print'
])->name('customer.orders.print');

Route::get('/orders/cancel/{id}', 'Webkul\Shop\Http\Controllers\OrderController@cancel')->name('customer.orders.cancel');
Route::post('/orders/cancel/{id}', 'Webkul\Shop\Http\Controllers\OrderController@cancel')->name('customer.orders.cancel');

/* Reviews route */
//Customer reviews
Expand All @@ -290,7 +290,7 @@
])->name('customer.reviews.index');

//Customer review delete
Route::get('reviews/delete/{id}', 'Webkul\Shop\Http\Controllers\ReviewController@destroy')->defaults('_config', [
Route::delete('reviews/delete/{id}', 'Webkul\Shop\Http\Controllers\ReviewController@destroy')->defaults('_config', [
'redirect' => 'customer.reviews.index'
])->name('customer.review.delete');

Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/ar/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,11 @@

'view' => [
'page-tile' => '#:id مراجعة',
]
],

'delete' => [
'confirmation-message' => 'هل أنت متأكد أنك تريد حذف هذه المراجعة؟',
],
]
]
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/de/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -388,7 +388,11 @@

'view' => [
'page-tile' => 'Bewertung #:id',
]
],

'delete' => [
'confirmation-message' => 'Möchten Sie diese Bewertung wirklich löschen?',
],
]
]
],
Expand Down
9 changes: 7 additions & 2 deletions packages/Webkul/Shop/src/Resources/lang/en/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -387,12 +387,17 @@
'review' => [
'index' => [
'title' => 'Reviews',
'page-title' => 'Reviews'
'page-title' => 'Reviews',

],

'view' => [
'page-tile' => 'Review #:id',
]
],

'delete' => [
'confirmation-message' => 'Are you sure you want to delete this review?',
],
]
]
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/es/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -391,7 +391,11 @@

'view' => [
'page-tile' => 'Opinión #:id',
]
],

'delete' => [
'confirmation-message' => '¿Seguro que quieres eliminar esta crítica?',
],
]
]
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/fa/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -387,7 +387,11 @@

'view' => [
'page-tile' => '#:id بررسی',
]
],

'delete' => [
'confirmation-message' => 'آیا شما مطمئن هستید که می خواهید این نظر را حذف کنید؟',
],
]
]
],
Expand Down
4 changes: 4 additions & 0 deletions packages/Webkul/Shop/src/Resources/lang/fr/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -390,6 +390,10 @@
'view' => [
'page-tile' => 'Avis n° :id',
],

'delete' => [
'confirmation-message' => 'Êtes-vous sûr de vouloir supprimer cet avis ?',
],
],
],
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/it/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,11 @@

'view' => [
'page-tile' => 'Recensione #:id',
]
],

'delete' => [
'confirmation-message' => 'Sei sicuro di voler eliminare questa recensione?',
],
]
]
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/ja/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -369,7 +369,11 @@

'view' => [
'page-tile' => 'レビュー #:id',
]
],

'delete' => [
'confirmation-message' => 'このレビューを削除してもよろしいですか?',
],
]
]
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/nl/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -395,7 +395,11 @@

'view' => [
'page-tile' => 'Recensies #:id',
]
],

'delete' => [
'confirmation-message' => 'Weet je zeker dat je deze recensie wilt verwijderen?',
],
]
]
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/pl/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,11 @@

'view' => [
'page-tile' => 'Recenzja #:id',
]
],

'delete' => [
'confirmation-message' => 'Czy na pewno chcesz usunąć tę recenzję?',
],
]
]
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/pt_BR/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -383,7 +383,11 @@

'view' => [
'page-tile' => 'Avaliação #:id',
]
],

'delete' => [
'confirmation-message' => 'Tem certeza de que deseja excluir este comentário?',
],
]
]
],
Expand Down
6 changes: 5 additions & 1 deletion packages/Webkul/Shop/src/Resources/lang/tr/app.php
Original file line number Diff line number Diff line change
Expand Up @@ -388,7 +388,11 @@

'view' => [
'page-tile' => 'İnceleme #:id',
]
],

'delete' => [
'confirmation-message' => 'Bu incelemeyi silmek istediğinizden emin misiniz?',
],
]
]
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -77,18 +77,22 @@ class="bold">{{ auth()->guard('customer')->user()->name }}</span>
</ul>

<div class="control-links mt-20">
<span>
<a href="{{ route('customer.address.edit', $address->id) }}">
{{ __('shop::app.customer.account.address.index.edit') }}
</a>
</span>
<span>
<a href="{{ route('customer.address.edit', $address->id) }}">
{{ __('shop::app.customer.account.address.index.edit') }}
</a>
</span>

<span>
<a href="{{ route('address.delete', $address->id) }}"
onclick="deleteAddress('{{ __('shop::app.customer.account.address.index.confirm-delete') }}')">
{{ __('shop::app.customer.account.address.index.delete') }}
</a>
</span>
<a href="javascript:void(0);" onclick="deleteAddress('{{ __('shop::app.customer.account.address.index.confirm-delete') }}')">
{{ __('shop::app.customer.account.address.index.delete') }}
</a>

<form id="deleteAddressForm" action="{{ route('address.delete', $address->id) }}" method="post">
@method('delete')
@csrf
</form>
</span>
</div>
</div>
</div>
Expand All @@ -105,8 +109,11 @@ class="bold">{{ auth()->guard('customer')->user()->name }}</span>
@push('scripts')
<script>
function deleteAddress(message) {
if (!confirm(message))
event.preventDefault();
if (! confirm(message)) {
return;
}
$('#deleteAddressForm').submit();
}
</script>
@endpush
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,11 @@


@if ($order->canCancel())
<a href="{{ route('customer.orders.cancel', $order->id) }}" class="btn btn-lg btn-primary" v-alert:message="'{{ __('shop::app.customer.account.order.view.cancel-confirm-msg') }}'" style="float: right;">
<form id="cancelOrderForm" action="{{ route('customer.orders.cancel', $order->id) }}" method="post">
@csrf
</form>

<a href="javascript:void(0);" class="btn btn-lg btn-primary" onclick="cancelOrder('{{ __('shop::app.customer.account.order.view.cancel-confirm-msg') }}')" style="float: right;">
{{ __('shop::app.customer.account.order.view.cancel-btn-title') }}
</a>
@endif
Expand Down Expand Up @@ -560,3 +564,15 @@
</div>

@endsection

@push('scripts')
<script>
function cancelOrder(message) {
if (! confirm(message)) {
return;
}
$('#cancelOrderForm').submit();
}
</script>
@endpush
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,12 @@
</div>

<div class="operations">
<a class="mb-50" href="{{ route('customer.review.delete', $review->id) }}"><span class="icon trash-icon"></span></a>
<form id="deleteReviewForm" action="{{ route('customer.review.delete', $review->id) }}" method="post">
@method('delete')
@csrf
</form>

<a class="mb-50" href="javascript:void(0);" onclick="deleteReview('{{ __('shop::app.customer.account.review.delete.confirmation-message') }}')"><span class="icon trash-icon"></span></a>
</div>
</div>
<div class="horizontal-rule mb-10 mt-10"></div>
Expand All @@ -77,4 +82,16 @@
{!! view_render_event('bagisto.shop.customers.account.reviews.list.after', ['reviews' => $reviews]) !!}
</div>
</div>
@endsection
@endsection

@push('scripts')
<script>
function deleteReview(message) {
if (! confirm(message)) {
return;
}
$('#deleteReviewForm').submit();
}
</script>
@endpush
Original file line number Diff line number Diff line change
Expand Up @@ -56,13 +56,14 @@
{{ __('shop::app.customer.account.address.index.edit') }}
</a>

<a
class="card-link"
href="{{ route('address.delete', $address->id) }}"
onclick="deleteAddress('{{ __('shop::app.customer.account.address.index.confirm-delete') }}')">

<a class="card-link" href="javascript:void(0);" onclick="deleteAddress('{{ __('shop::app.customer.account.address.index.confirm-delete') }}')">
{{ __('shop::app.customer.account.address.index.delete') }}
</a>

<form id="deleteAddressForm" action="{{ route('address.delete', $address->id) }}" method="post">
@method('delete')
@csrf
</form>
</div>
</div>
</div>
Expand All @@ -77,8 +78,11 @@ class="card-link"
@push('scripts')
<script>
function deleteAddress(message) {
if (!confirm(message))
event.preventDefault();
if (! confirm(message)) {
return;
}
$('#deleteAddressForm').submit();
}
</script>
@endpush
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@

@if ($order->canCancel())
<span class="account-action">
<a href="{{ route('customer.orders.cancel', $order->id) }}" class="theme-btn light unset float-right" v-alert:message="'{{ __('shop::app.customer.account.order.view.cancel-confirm-msg') }}'" style="float: right">
<form id="cancelOrderForm" action="{{ route('customer.orders.cancel', $order->id) }}" method="post">
@csrf
</form>

<a href="javascript:void(0);" class="theme-btn light unset float-right" onclick="cancelOrder('{{ __('shop::app.customer.account.order.view.cancel-confirm-msg') }}')" style="float: right">
{{ __('shop::app.customer.account.order.view.cancel-btn-title') }}
</a>
</span>
Expand Down Expand Up @@ -579,4 +583,16 @@
{!! view_render_event('bagisto.shop.customers.account.orders.view.after', ['order' => $order]) !!}
</div>
</div>
@endsection
@endsection

@push('scripts')
<script>
function cancelOrder(message) {
if (! confirm(message)) {
return;
}
$('#cancelOrderForm').submit();
}
</script>
@endpush
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,12 @@ class="remove-decoration"
</div>

<div class="col-2">
<a class="unset" href="{{ route('customer.review.delete', $review->id) }}">
<form id="deleteReviewForm" action="{{ route('customer.review.delete', $review->id) }}" method="post">
@method('delete')
@csrf
</form>

<a class="unset" href="javacript:void(0);" onclick="deleteReview('{{ __('shop::app.customer.account.review.delete.confirmation-message') }}')">
<span class="rango-delete fs24"></span>
<span class="align-vertical-top">{{ __('shop::app.checkout.cart.remove') }}</span>
</a>
Expand All @@ -84,6 +89,16 @@ class="remove-decoration"
@endsection

@push('scripts')
<script>
function deleteReview(message) {
if (! confirm(message)) {
return;
}
$('#deleteReviewForm').submit();
}
</script>

<script type="text/x-template" id="load-more-template">
<div class="col-12 row justify-content-center">
<button type="button" class="theme-btn light" @click="loadNextPage">Load More</button>
Expand Down

0 comments on commit 265aa14

Please sign in to comment.