Skip to content

Commit

Permalink
Merge pull request from GHSA-p8gp-899c-jvq9
Browse files Browse the repository at this point in the history
Replace GET way to POST way to reset data user
  • Loading branch information
nicosomb committed Aug 21, 2023
2 parents 94a6bc0 + a9893d7 commit 78b0b55
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 19 deletions.
8 changes: 6 additions & 2 deletions src/Wallabag/CoreBundle/Controller/ConfigController.php
Expand Up @@ -523,12 +523,16 @@ public function editIgnoreOriginRuleAction(IgnoreOriginUserRule $rule)
/**
* Remove all annotations OR tags OR entries for the current user.
*
* @Route("/reset/{type}", requirements={"id" = "annotations|tags|entries"}, name="config_reset")
* @Route("/reset/{type}", requirements={"id" = "annotations|tags|entries"}, name="config_reset", methods={"POST"})
*
* @return RedirectResponse
*/
public function resetAction(string $type, AnnotationRepository $annotationRepository, EntryRepository $entryRepository)
public function resetAction(Request $request, string $type, AnnotationRepository $annotationRepository, EntryRepository $entryRepository)
{
if (!$this->isCsrfTokenValid('reset-area', $request->request->get('token'))) {
throw $this->createAccessDeniedException('Bad CSRF token.');
}

switch ($type) {
case 'annotations':
$annotationRepository->removeAllByUserId($this->getUser()->getId());
Expand Down
40 changes: 28 additions & 12 deletions src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
Expand Up @@ -552,18 +552,34 @@
<div class="row">
<h5>{{ 'config.reset.title'|trans }}</h5>
<p>{{ 'config.reset.description'|trans }}</p>
<a href="{{ path('config_reset', {type: 'annotations'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
{{ 'config.reset.annotations'|trans }}
</a>
<a href="{{ path('config_reset', {type: 'tags'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
{{ 'config.reset.tags'|trans }}
</a>
<a href="{{ path('config_reset', {type: 'archived'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
{{ 'config.reset.archived'|trans }}
</a>
<a href="{{ path('config_reset', {type: 'entries'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
{{ 'config.reset.entries'|trans }}
</a>
<p>
<form action="{{ path('config_reset', { type: 'annotations' }) }}" method="post" onsubmit="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" name="reset-annotations">

Check failure on line 556 in src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig

View workflow job for this annotation

GitHub Actions / CS Fixer, PHPStan & TwigCS

There should be 0 space before the hash values.

Check failure on line 556 in src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig

View workflow job for this annotation

GitHub Actions / CS Fixer, PHPStan & TwigCS

There should be 0 space after the hash values.
<input type="hidden" name="token" value="{{ csrf_token('reset-area') }}" />

<button class="waves-effect waves-light btn red" type="submit">{{ 'config.reset.annotations'|trans }}</button>
</form>
</p>
<p>
<form action="{{ path('config_reset', { type: 'tags' }) }}" method="post" onsubmit="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" name="reset-tags">

Check failure on line 563 in src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig

View workflow job for this annotation

GitHub Actions / CS Fixer, PHPStan & TwigCS

There should be 0 space before the hash values.

Check failure on line 563 in src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig

View workflow job for this annotation

GitHub Actions / CS Fixer, PHPStan & TwigCS

There should be 0 space after the hash values.
<input type="hidden" name="token" value="{{ csrf_token('reset-area') }}" />

<button class="waves-effect waves-light btn red" type="submit">{{ 'config.reset.tags'|trans }}</button>
</form>
</p>
<p>
<form action="{{ path('config_reset', { type: 'archived' }) }}" method="post" onsubmit="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" name="reset-archived">

Check failure on line 570 in src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig

View workflow job for this annotation

GitHub Actions / CS Fixer, PHPStan & TwigCS

There should be 0 space before the hash values.

Check failure on line 570 in src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig

View workflow job for this annotation

GitHub Actions / CS Fixer, PHPStan & TwigCS

There should be 0 space after the hash values.
<input type="hidden" name="token" value="{{ csrf_token('reset-area') }}" />

<button class="waves-effect waves-light btn red" type="submit">{{ 'config.reset.archived'|trans }}</button>
</form>
</p>
<p>
<form action="{{ path('config_reset', { type: 'entries' }) }}" method="post" onsubmit="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" name="reset-entries">

Check failure on line 577 in src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig

View workflow job for this annotation

GitHub Actions / CS Fixer, PHPStan & TwigCS

There should be 0 space before the hash values.

Check failure on line 577 in src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig

View workflow job for this annotation

GitHub Actions / CS Fixer, PHPStan & TwigCS

There should be 0 space after the hash values.
<input type="hidden" name="token" value="{{ csrf_token('reset-area') }}" />

<button class="waves-effect waves-light btn red" type="submit">{{ 'config.reset.entries'|trans }}</button>
</form>
</p>
</div>

{% if enabled_users > 1 %}
Expand Down
15 changes: 10 additions & 5 deletions tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
Expand Up @@ -929,7 +929,8 @@ public function testReset()

$this->assertSame(200, $client->getResponse()->getStatusCode());

$crawler = $client->click($crawler->selectLink('config.reset.annotations')->link());
$form = $crawler->filter('form[name=reset-annotations]')->form();
$client->submit($form);

$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.annotations_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
Expand All @@ -945,7 +946,8 @@ public function testReset()

$this->assertSame(200, $client->getResponse()->getStatusCode());

$crawler = $client->click($crawler->selectLink('config.reset.tags')->link());
$form = $crawler->filter('form[name=reset-tags]')->form();
$client->submit($form);

$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.tags_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
Expand All @@ -961,7 +963,8 @@ public function testReset()

$this->assertSame(200, $client->getResponse()->getStatusCode());

$crawler = $client->click($crawler->selectLink('config.reset.entries')->link());
$form = $crawler->filter('form[name=reset-entries]')->form();
$client->submit($form);

$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.entries_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
Expand Down Expand Up @@ -1027,7 +1030,8 @@ public function testResetArchivedEntries()

$this->assertSame(200, $client->getResponse()->getStatusCode());

$crawler = $client->click($crawler->selectLink('config.reset.archived')->link());
$form = $crawler->filter('form[name=reset-archived]')->form();
$client->submit($form);

$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.archived_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
Expand Down Expand Up @@ -1086,7 +1090,8 @@ public function testResetEntriesCascade()

$this->assertSame(200, $client->getResponse()->getStatusCode());

$crawler = $client->click($crawler->selectLink('config.reset.entries')->link());
$form = $crawler->filter('form[name=reset-entries]')->form();
$client->submit($form);

$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.entries_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
Expand Down

0 comments on commit 78b0b55

Please sign in to comment.