Skip to content
Permalink
Browse files
security: cross-site request forgery
- huntr
  • Loading branch information
HDVinnie committed Nov 15, 2021
1 parent 74695a1 commit 804c4c6a4db4139bc2d9b75efd2e905278dded17
@@ -52,13 +52,18 @@ class="l-breadcrumb-item-link-title">{{ $p->name }}</span></a>
itemprop="url" class="l-breadcrumb-item-link"><span itemprop="title"
class="l-breadcrumb-item-link-title">{{ $p->user->username }}
({{ $p->user->group->name }})</span></a></td>
<td><a href="{{ route('staff.moderation.approve', ['id' => $p->id]) }}" role='button'
class='btn btn-labeled btn-success'>
<span class="btn-label">
<i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
</span>
@lang('common.moderation-approve')
</a></td>
<td>
<form role="form" method="POST" action="{{ route('staff.moderation.approve', ['id' => $p->id]) }}"
style="display: inline-block;">
@csrf
<button type="submit" class="btn btn-labeled btn-success">
<span class="btn-label">
<i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
</span>
@lang('common.moderation-approve')
</button>
</form>
</td>
<td>
<button data-target="#pendpostpone-{{ $p->id }}" data-toggle="modal" class="btn btn-labeled btn-danger">
<span class="btn-label"><i class="{{ config('other.font-awesome') }} fa-pause"></i></span>
@@ -214,13 +219,18 @@ class="l-breadcrumb-item-link-title">{{ $post->user->username }}
itemprop="url" class="l-breadcrumb-item-link"><span itemprop="title"
class="l-breadcrumb-item-link-title">{{ $post->moderated->username }}
({{ $post->moderated->group->name }})</span></a></td>
<td><a href="{{ route('staff.moderation.approve', ['id' => $post->id]) }}" role='button'
class='btn btn-labeled btn-success'>
<span class="btn-label">
<i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
</span>
@lang('common.moderation-approve')
</a></td>
<td>
<form role="form" method="POST" action="{{ route('staff.moderation.approve', ['id' => $post->id]) }}"
style="display: inline-block;">
@csrf
<button type="submit" class="btn btn-labeled btn-success">
<span class="btn-label">
<i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
</span>
@lang('common.moderation-approve')
</button>
</form>
</td>
<td><a href="{{ route('edit', ['id' => $post->id]) }}" role='button'
class='btn btn-labeled btn-info'><span class="btn-label"><i
class="{{ config('other.font-awesome') }} fa-pencil"></i></span>@lang('common.edit')</a></td>
@@ -329,13 +339,18 @@ class="l-breadcrumb-item-link-title">{{ $reject->user->username }}
itemprop="url" class="l-breadcrumb-item-link"><span itemprop="title"
class="l-breadcrumb-item-link-title">{{ $reject->moderated->username }}
({{ $reject->moderated->group->name }})</span></a></td>
<td><a href="{{ route('staff.moderation.approve', ['id' => $reject->id]) }}" role='button'
class='btn btn-labeled btn-success'>
<span class="btn-label">
<i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
</span>
@lang('common.moderation-approve')
</a></td>
<td>
<form role="form" method="POST" action="{{ route('staff.moderation.approve', ['id' => $reject->id]) }}"
style="display: inline-block;">
@csrf
<button type="submit" class="btn btn-labeled btn-success">
<span class="btn-label">
<i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
</span>
@lang('common.moderation-approve')
</button>
</form>
</td>
<td>
<button data-target="#rejectpost-{{ $reject->id }}" data-toggle="modal" class="btn btn-labeled btn-danger">
<span class="btn-label"><i class="{{ config('other.font-awesome') }} fa-pause"></i></span>
@@ -204,13 +204,13 @@ class="{{ config('other.font-awesome') }} fa-check-square"></i>@lang('request.fi
</span>

@if ($user->group->is_modo || $torrentRequestClaim->username == $user->username)
<a href="{{ route('unclaimRequest', ['id' => $torrentRequest->id]) }}"
class="btn btn-xs btn-danger" role="button" data-toggle="tooltip"
data-original-title="@lang('request.unclaim')">
<span class="icon">
<i class="{{ config('other.font-awesome') }} fa-times"></i> @lang('request.unclaim')
</span>
</a>
<form role="form" method="POST" action="{{ route('unclaimRequest', ['id' => $torrentRequest->id]) }}"
style="display: inline-block;">
@csrf
<button type="submit" class="btn btn-xs btn-danger">
<i class="{{ config('other.font-awesome') }} fa-times"></i> @lang('request.unclaim')
</button>
</form>
<a href="{{ route('upload_form', ['category_id' => $torrentRequest->category_id, 'title' => $meta->title ?? ' ', 'imdb' => $meta->imdb ?? 0, 'tmdb' => $meta->tmdb ?? 0]) }}"
class="btn btn-xs btn-success"> @lang('common.upload') {{ $meta->title ?? ''}}
</a>
@@ -287,16 +287,20 @@ class="btn btn-xs btn-success"> @lang('common.upload') {{ $meta->title ?? ''}}
<span class="badge-extra">
{{ $torrentRequest->filled_when->diffForHumans() }}
</span>
<span class="badge-extra">
<a href="{{ route('approveRequest', ['id' => $torrentRequest->id]) }}">
<form role="form" method="POST" action="{{ route('approveRequest', ['id' => $torrentRequest->id]) }}"
style="display: inline-block;">
@csrf
<button type="submit" class="btn btn-xs btn-success">
@lang('request.approve')
</a>
</span>
<span class="badge-extra">
<a href="{{ route('rejectRequest', ['id' => $torrentRequest->id]) }}">
</button>
</form>
<form role="form" method="POST" action="{{ route('rejectRequest', ['id' => $torrentRequest->id]) }}"
style="display: inline-block;">
@csrf
<button type="submit" class="btn btn-xs btn-warning">
@lang('request.reject')
</a>
</span>
</button>
</form>
</td>
</tr>
<tr>
@@ -84,7 +84,7 @@
aria-hidden="true">&times;</span></button>
<h2><i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>@lang('request.reset-request')!</h2>
</div>
<form role="form" method="GET" action="{{ route('resetRequest', ['id' => $torrentRequest->id]) }}">
<form role="form" method="POST" action="{{ route('resetRequest', ['id' => $torrentRequest->id]) }}">
@csrf
<div class="modal-body">
<p class="text-center">@lang('request.reset-confirmation')?</p>
@@ -703,10 +703,13 @@ class="btn btn-primary btn-xs" role="button">

@if (auth()->user()->group->is_modo)
<div class="torrent-moderation-controls">
<a href="{{ route('staff.moderation.approve', ['id' => $torrent->id]) }}" role='button'
class='btn btn-labeled btn-success btn-xs @if ($torrent->isApproved()) disabled @endif'>
<i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i> @lang('common.moderation-approve')
</a>
<form role="form" method="POST" action="{{ route('staff.moderation.approve', ['id' => $torrent->id]) }}"
style="display: inline-block;">
@csrf
<button type="submit" class="btn btn-labeled btn-xs btn-success @if ($torrent->isApproved()) disabled @endif">
<i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i> @lang('common.moderation-approve')
</button>
</form>

<button data-target="#postpone-{{ $torrent->id }}" data-toggle="modal"
class="btn btn-labeled btn-warning btn-xs @if ($torrent->isPostponed()) disabled @endif">
@@ -241,14 +241,14 @@
Route::get('/{id}/edit', [App\Http\Controllers\RequestController::class, 'editRequestForm'])->name('edit_request_form');
Route::post('/{id}/edit', [App\Http\Controllers\RequestController::class, 'editRequest'])->name('edit_request');
Route::get('/{id}{hash?}', [App\Http\Controllers\RequestController::class, 'request'])->name('request');
Route::get('/{id}/accept', [App\Http\Controllers\RequestController::class, 'approveRequest'])->name('approveRequest');
Route::post('/{id}/accept', [App\Http\Controllers\RequestController::class, 'approveRequest'])->name('approveRequest');
Route::post('/{id}/delete', [App\Http\Controllers\RequestController::class, 'deleteRequest'])->name('deleteRequest');
Route::post('/{id}/fill', [App\Http\Controllers\RequestController::class, 'fillRequest'])->name('fill_request');
Route::get('/{id}/reject', [App\Http\Controllers\RequestController::class, 'rejectRequest'])->name('rejectRequest');
Route::post('/{id}/reject', [App\Http\Controllers\RequestController::class, 'rejectRequest'])->name('rejectRequest');
Route::post('/{id}/vote', [App\Http\Controllers\RequestController::class, 'addBonus'])->name('add_votes');
Route::post('/{id}/claim', [App\Http\Controllers\RequestController::class, 'claimRequest'])->name('claimRequest');
Route::get('/{id}/unclaim', [App\Http\Controllers\RequestController::class, 'unclaimRequest'])->name('unclaimRequest');
Route::get('/{id}/reset', [App\Http\Controllers\RequestController::class, 'resetRequest'])->name('resetRequest')->middleware('modo');
Route::post('/{id}/unclaim', [App\Http\Controllers\RequestController::class, 'unclaimRequest'])->name('unclaimRequest');
Route::post('/{id}/reset', [App\Http\Controllers\RequestController::class, 'resetRequest'])->name('resetRequest')->middleware('modo');
});

// Torrents System
@@ -782,7 +782,7 @@
Route::group(['prefix' => 'moderation'], function () {
Route::name('staff.moderation.')->group(function () {
Route::get('/', [App\Http\Controllers\Staff\ModerationController::class, 'index'])->name('index');
Route::get('/{id}/approve', [App\Http\Controllers\Staff\ModerationController::class, 'approve'])->name('approve');
Route::post('/{id}/approve', [App\Http\Controllers\Staff\ModerationController::class, 'approve'])->name('approve');
Route::post('/reject', [App\Http\Controllers\Staff\ModerationController::class, 'reject'])->name('reject');
Route::post('/postpone', [App\Http\Controllers\Staff\ModerationController::class, 'postpone'])->name('postpone');
});

0 comments on commit 804c4c6

Please sign in to comment.