Fix CSRF issues
GET routes are not protected against CSRF. This commit changes the needed URLs to POST and replace simple links with forms. Thanks @fdb-hiroshima for noticing it!
This commit is contained in:
@@ -156,7 +156,7 @@ fn admin_instances_paginated(admin: Admin, conn: DbConn, page: Page) -> Template
|
||||
}))
|
||||
}
|
||||
|
||||
#[get("/admin/instances/<id>/block")]
|
||||
#[post("/admin/instances/<id>/block")]
|
||||
fn toggle_block(_admin: Admin, conn: DbConn, id: i32) -> Redirect {
|
||||
if let Some(inst) = Instance::get(&*conn, id) {
|
||||
inst.toggle_block(&*conn);
|
||||
@@ -183,7 +183,7 @@ fn admin_users_paginated(admin: Admin, conn: DbConn, page: Page) -> Template {
|
||||
}))
|
||||
}
|
||||
|
||||
#[get("/admin/users/<id>/ban")]
|
||||
#[post("/admin/users/<id>/ban")]
|
||||
fn ban(_admin: Admin, conn: DbConn, id: i32) -> Redirect {
|
||||
User::get(&*conn, id).map(|u| u.delete(&*conn));
|
||||
Redirect::to(uri!(admin_users))
|
||||
|
||||
@@ -97,14 +97,14 @@ fn details(id: i32, user: User, conn: DbConn) -> Template {
|
||||
}))
|
||||
}
|
||||
|
||||
#[get("/medias/<id>/delete")]
|
||||
#[post("/medias/<id>/delete")]
|
||||
fn delete(id: i32, _user: User, conn: DbConn) -> Redirect {
|
||||
let media = Media::get(&*conn, id).expect("Media to delete not found");
|
||||
media.delete(&*conn);
|
||||
Redirect::to(uri!(list))
|
||||
}
|
||||
|
||||
#[get("/medias/<id>/avatar")]
|
||||
#[post("/medias/<id>/avatar")]
|
||||
fn set_avatar(id: i32, user: User, conn: DbConn) -> Redirect {
|
||||
let media = Media::get(&*conn, id).expect("Media to delete not found");
|
||||
user.set_avatar(&*conn, media.id);
|
||||
|
||||
+1
-1
@@ -338,7 +338,7 @@ fn create(blog_name: String, data: LenientForm<NewPostForm>, user: User, conn: D
|
||||
}
|
||||
}
|
||||
|
||||
#[get("/~/<blog_name>/<slug>/delete")]
|
||||
#[post("/~/<blog_name>/<slug>/delete")]
|
||||
fn delete(blog_name: String, slug: String, conn: DbConn, user: User, worker: State<Pool<ThunkWorker<()>>>) -> Redirect {
|
||||
let post = Blog::find_by_fqn(&*conn, blog_name.clone())
|
||||
.and_then(|blog| Post::find_by_slug(&*conn, slug.clone(), blog.id));
|
||||
|
||||
+3
-3
@@ -118,7 +118,7 @@ fn dashboard_auth() -> Flash<Redirect> {
|
||||
)
|
||||
}
|
||||
|
||||
#[get("/@/<name>/follow")]
|
||||
#[post("/@/<name>/follow")]
|
||||
fn follow(name: String, conn: DbConn, user: User, worker: Worker) -> Redirect {
|
||||
let target = User::find_by_fqn(&*conn, name.clone()).unwrap();
|
||||
if let Some(follow) = follows::Follow::find(&*conn, user.id, target.id) {
|
||||
@@ -138,7 +138,7 @@ fn follow(name: String, conn: DbConn, user: User, worker: Worker) -> Redirect {
|
||||
Redirect::to(uri!(details: name = name))
|
||||
}
|
||||
|
||||
#[get("/@/<name>/follow", rank = 2)]
|
||||
#[post("/@/<name>/follow", rank = 2)]
|
||||
fn follow_auth(name: String) -> Flash<Redirect> {
|
||||
utils::requires_login(
|
||||
"You need to be logged in order to follow someone",
|
||||
@@ -225,7 +225,7 @@ fn update(_name: String, conn: DbConn, user: User, data: LenientForm<UpdateUserF
|
||||
Redirect::to(uri!(me))
|
||||
}
|
||||
|
||||
#[get("/@/<name>/delete")]
|
||||
#[post("/@/<name>/delete")]
|
||||
fn delete(name: String, conn: DbConn, user: User, mut cookies: Cookies) -> Redirect {
|
||||
let account = User::find_by_fqn(&*conn, name.clone()).unwrap();
|
||||
if user.id == account.id {
|
||||
|
||||
Reference in New Issue
Block a user