From 0ceb9ce84e692ba553824562dd74cfaa3b598e8c Mon Sep 17 00:00:00 2001
From: HDVinnie <hdinnovations@protonmail.com>
Date: Thu, 23 Sep 2021 11:41:05 -0400
Subject: [PATCH] security: cross-site request forgery

---
 resources/views/user/buttons/profile.blade.php | 9 ++++++---
 routes/web.php                                 | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/resources/views/user/buttons/profile.blade.php b/resources/views/user/buttons/profile.blade.php
index d0e23a6c92..244105713d 100644
--- a/resources/views/user/buttons/profile.blade.php
+++ b/resources/views/user/buttons/profile.blade.php
@@ -2,9 +2,12 @@
     <div class="button-left">
         @if(auth()->user()->id == $user->id)
             @if((!auth()->user()->hidden || auth()->user()->hidden == 0))
-                <a href="{{ route('user_hidden', ['username' => $user->username]) }}" class="btn btn-sm btn-danger">
-                    <i class='{{ config('other.font-awesome') }} fa-eye-slash'></i> @lang('user.become-hidden')
-                </a>
+                <form role="form" method="POST" action="{{ route('user_hidden', ['username' => $user->username]) }}" style="display: inline-block;">
+                    @csrf
+                    <button type="submit" class="btn btn-sm btn-danger">
+                        <i class='{{ config('other.font-awesome') }} fa-eye-slash'></i> @lang('user.become-hidden')
+                    </button>
+                </form>
             @else
                 <form role="form" method="POST" action="{{ route('user_visible', ['username' => $user->username]) }}" style="display: inline-block;">
                     @csrf
diff --git a/routes/web.php b/routes/web.php
index e80f6d866d..e17c642d92 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -341,7 +341,7 @@
             Route::post('/{username}/settings/privacy/request', [App\Http\Controllers\UserController::class, 'changeRequest'])->name('privacy_request');
             Route::post('/{username}/settings/privacy/other', [App\Http\Controllers\UserController::class, 'changeOther'])->name('privacy_other');
             Route::post('/{username}/settings/change_twostep', [App\Http\Controllers\UserController::class, 'changeTwoStep'])->name('change_twostep');
-            Route::get('/{username}/settings/hidden', [App\Http\Controllers\UserController::class, 'makeHidden'])->name('user_hidden');
+            Route::post('/{username}/settings/hidden', [App\Http\Controllers\UserController::class, 'makeHidden'])->name('user_hidden');
             Route::post('/{username}/settings/visible', [App\Http\Controllers\UserController::class, 'makeVisible'])->name('user_visible');
             Route::get('/{username}/settings/private', [App\Http\Controllers\UserController::class, 'makePrivate'])->name('user_private');
             Route::get('/{username}/settings/public', [App\Http\Controllers\UserController::class, 'makePublic'])->name('user_public');