From 220db85e7670f36d3b335efe50a20ce47cfcbee4 Mon Sep 17 00:00:00 2001
From: HDVinnie <hdinnovations@protonmail.com>
Date: Thu, 23 Sep 2021 22:09:55 -0400
Subject: [PATCH] security: cross-site request forgery

- huntr bounty
---
 resources/views/partials/dashboardmenu.blade.php | 12 ++++++++----
 routes/web.php                                   |  2 +-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/resources/views/partials/dashboardmenu.blade.php b/resources/views/partials/dashboardmenu.blade.php
index 969f60ef7a..86e276e32b 100644
--- a/resources/views/partials/dashboardmenu.blade.php
+++ b/resources/views/partials/dashboardmenu.blade.php
@@ -51,7 +51,7 @@
                 <form role="form" method="POST" action="{{ route('staff.flush.chat') }}" style="padding: 10px 15px;">
                     @csrf
                     <i class="{{ config('other.font-awesome') }} fa-broom"></i>
-                    <button type="submit" class="btn btn-xs btn-info">
+                    <button type="submit" class="btn btn-xs btn-info" style="margin-bottom: 5px;">
                         @lang('staff.flush-chat')
                     </button>
                 </form>
@@ -132,9 +132,13 @@
                 </a>
             </li>
             <li>
-                <a href="{{ route('staff.flush.peers') }}">
-                    <i class="fab fa-snapchat-ghost"></i> @lang('staff.flush-ghost-peers')
-                </a>
+                <form role="form" method="POST" action="{{ route('staff.flush.peers') }}" style="padding: 10px 15px;">
+                    @csrf
+                    <i class="{{ config('other.font-awesome') }} fa-ghost"></i>
+                    <button type="submit" class="btn btn-xs btn-info" style="margin-bottom: 5px;">
+                        @lang('staff.flush-ghost-peers')
+                    </button>
+                </form>
             </li>
 
             <li class="nav-header head">
diff --git a/routes/web.php b/routes/web.php
index 0ec26b8f38..3e9947173a 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -748,7 +748,7 @@
         // Flush System
         Route::group(['prefix' => 'flush'], function () {
             Route::name('staff.flush.')->group(function () {
-                Route::get('/peers', [App\Http\Controllers\Staff\FlushController::class, 'peers'])->name('peers');
+                Route::post('/peers', [App\Http\Controllers\Staff\FlushController::class, 'peers'])->name('peers');
                 Route::post('/chat', [App\Http\Controllers\Staff\FlushController::class, 'chat'])->name('chat');
             });
         });