From 5dc526385f92644a7df45a897fef6185df269fdb Mon Sep 17 00:00:00 2001
From: HDVinnie <hdinnovations@protonmail.com>
Date: Thu, 23 Sep 2021 11:55:45 -0400
Subject: [PATCH] security: cross-site request forgery

---
 resources/views/user/buttons/profile.blade.php | 9 ++++++---
 routes/web.php                                 | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/resources/views/user/buttons/profile.blade.php b/resources/views/user/buttons/profile.blade.php
index 0a3307b51a..8617046207 100644
--- a/resources/views/user/buttons/profile.blade.php
+++ b/resources/views/user/buttons/profile.blade.php
@@ -32,9 +32,12 @@
                 </form>
             @endif
             @if((auth()->user()->block_notifications == 0 || auth()->user()->block_notifications == 0))
-                <a href="{{ route('notification_disable', ['username' => $user->username]) }}" class="btn btn-sm btn-danger">
-                    <i class='{{ config('other.font-awesome') }} fa-bell-slash'></i> @lang('user.disable-notifications')
-                </a>
+                <form role="form" method="POST" action="{{ route('notification_disable', ['username' => $user->username]) }}" style="display: inline-block;">
+                    @csrf
+                    <button type="submit" class="btn btn-sm btn-danger">
+                        <i class='{{ config('other.font-awesome') }} fa-bell-slash'></i> @lang('user.disable-notifications')
+                    </button>
+                </form>
             @else
                 <form role="form" method="POST" action="{{ route('notification_enable', ['username' => $user->username]) }}" style="display: inline-block;">
                     @csrf
diff --git a/routes/web.php b/routes/web.php
index 45b3b8c79a..32126c5ec5 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -323,7 +323,7 @@
             Route::post('/{username}/settings/change_pid', [App\Http\Controllers\UserController::class, 'changePID'])->name('change_pid');
             Route::post('/{username}/settings/change_rid', [App\Http\Controllers\UserController::class, 'changeRID'])->name('change_rid');
             Route::post('/{username}/settings/change_api_token', [App\Http\Controllers\UserController::class, 'changeApiToken'])->name('change_api_token');
-            Route::get('/{username}/settings/notification/disable', [App\Http\Controllers\UserController::class, 'disableNotifications'])->name('notification_disable');
+            Route::post('/{username}/settings/notification/disable', [App\Http\Controllers\UserController::class, 'disableNotifications'])->name('notification_disable');
             Route::post('/{username}/settings/notification/enable', [App\Http\Controllers\UserController::class, 'enableNotifications'])->name('notification_enable');
             Route::post('/{username}/settings/notification/account', [App\Http\Controllers\UserController::class, 'changeAccountNotification'])->name('notification_account');
             Route::post('/{username}/settings/notification/following', [App\Http\Controllers\UserController::class, 'changeFollowingNotification'])->name('notification_following');