security: cross-site request forgery

- huntr
HDInnovations · Nov 15, 2021 · 804c4c6 · 804c4c6
1 parent 74695a1
commit 804c4c6
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 46 deletions.
diff --git a/resources/views/Staff/moderation/index.blade.php b/resources/views/Staff/moderation/index.blade.php
@@ -52,13 +52,18 @@ class="l-breadcrumb-item-link-title">{{ $p->name }}</span></a>
                                itemprop="url" class="l-breadcrumb-item-link"><span itemprop="title"
                                                                                    class="l-breadcrumb-item-link-title">{{ $p->user->username }}
                                     ({{ $p->user->group->name }})</span></a></td>
-                        <td><a href="{{ route('staff.moderation.approve', ['id' => $p->id]) }}" role='button'
-                               class='btn btn-labeled btn-success'>
-                                <span class="btn-label">
-                                    <i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
-                                </span>
-                                @lang('common.moderation-approve')
-                            </a></td>
+                        <td>
+                            <form role="form" method="POST" action="{{ route('staff.moderation.approve', ['id' => $p->id]) }}"
+                                  style="display: inline-block;">
+                                @csrf
+                                <button type="submit" class="btn btn-labeled btn-success">
+                                    <span class="btn-label">
+                                        <i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
+                                    </span>
+                                    @lang('common.moderation-approve')
+                                </button>
+                            </form>
+                        </td>
                         <td>
                             <button data-target="#pendpostpone-{{ $p->id }}" data-toggle="modal" class="btn btn-labeled btn-danger">
                                 <span class="btn-label"><i class="{{ config('other.font-awesome') }} fa-pause"></i></span>
@@ -214,13 +219,18 @@ class="l-breadcrumb-item-link-title">{{ $post->user->username }}
                                itemprop="url" class="l-breadcrumb-item-link"><span itemprop="title"
                                                                                    class="l-breadcrumb-item-link-title">{{ $post->moderated->username }}
                                     ({{ $post->moderated->group->name }})</span></a></td>
-                        <td><a href="{{ route('staff.moderation.approve', ['id' => $post->id]) }}" role='button'
-                               class='btn btn-labeled btn-success'>
-                                <span class="btn-label">
-                                    <i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
-                                </span>
-                                @lang('common.moderation-approve')
-                            </a></td>
+                        <td>
+                            <form role="form" method="POST" action="{{ route('staff.moderation.approve', ['id' => $post->id]) }}"
+                                  style="display: inline-block;">
+                                @csrf
+                                <button type="submit" class="btn btn-labeled btn-success">
+                                    <span class="btn-label">
+                                        <i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
+                                    </span>
+                                    @lang('common.moderation-approve')
+                                </button>
+                            </form>
+                        </td>
                         <td><a href="{{ route('edit', ['id' => $post->id]) }}" role='button'
                                class='btn btn-labeled btn-info'><span class="btn-label"><i
                                             class="{{ config('other.font-awesome') }} fa-pencil"></i></span>@lang('common.edit')</a></td>
@@ -329,13 +339,18 @@ class="l-breadcrumb-item-link-title">{{ $reject->user->username }}
                                itemprop="url" class="l-breadcrumb-item-link"><span itemprop="title"
                                                                                    class="l-breadcrumb-item-link-title">{{ $reject->moderated->username }}
                                     ({{ $reject->moderated->group->name }})</span></a></td>
-                        <td><a href="{{ route('staff.moderation.approve', ['id' => $reject->id]) }}" role='button'
-                               class='btn btn-labeled btn-success'>
-                                <span class="btn-label">
-                                    <i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
-                                </span>
-                                @lang('common.moderation-approve')
-                            </a></td>
+                        <td>
+                            <form role="form" method="POST" action="{{ route('staff.moderation.approve', ['id' => $reject->id]) }}"
+                                  style="display: inline-block;">
+                                @csrf
+                                <button type="submit" class="btn btn-labeled btn-success">
+                                    <span class="btn-label">
+                                        <i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>
+                                    </span>
+                                    @lang('common.moderation-approve')
+                                </button>
+                            </form>
+                        </td>
                         <td>
                             <button data-target="#rejectpost-{{ $reject->id }}" data-toggle="modal" class="btn btn-labeled btn-danger">
                                     <span class="btn-label"><i class="{{ config('other.font-awesome') }} fa-pause"></i></span>

diff --git a/resources/views/requests/request.blade.php b/resources/views/requests/request.blade.php
@@ -204,13 +204,13 @@ class="{{ config('other.font-awesome') }} fa-check-square"></i>@lang('request.fi
                                     </span>
 
                                     @if ($user->group->is_modo || $torrentRequestClaim->username == $user->username)
-                                        <a href="{{ route('unclaimRequest', ['id' => $torrentRequest->id]) }}"
-                                           class="btn btn-xs btn-danger" role="button" data-toggle="tooltip"
-                                           data-original-title="@lang('request.unclaim')">
-                                            <span class="icon">
-                                                <i class="{{ config('other.font-awesome') }} fa-times"></i> @lang('request.unclaim')
-                                            </span>
-                                        </a>
+                                       <form role="form" method="POST" action="{{ route('unclaimRequest', ['id' => $torrentRequest->id]) }}"
+                                             style="display: inline-block;">
+                                           @csrf
+                                           <button type="submit" class="btn btn-xs btn-danger">
+                                               <i class="{{ config('other.font-awesome') }} fa-times"></i> @lang('request.unclaim')
+                                           </button>
+                                       </form>
                                         <a href="{{ route('upload_form', ['category_id' => $torrentRequest->category_id, 'title' => $meta->title ?? ' ', 'imdb' => $meta->imdb ?? 0, 'tmdb' => $meta->tmdb ?? 0]) }}"
                                            class="btn btn-xs btn-success"> @lang('common.upload') {{ $meta->title ?? ''}}
                                         </a>
@@ -287,16 +287,20 @@ class="btn btn-xs btn-success"> @lang('common.upload') {{ $meta->title ?? ''}}
                                     <span class="badge-extra">
                                         {{ $torrentRequest->filled_when->diffForHumans() }}
                                     </span>
-                                    <span class="badge-extra">
-                                        <a href="{{ route('approveRequest', ['id' => $torrentRequest->id]) }}">
+                                    <form role="form" method="POST" action="{{ route('approveRequest', ['id' => $torrentRequest->id]) }}"
+                                          style="display: inline-block;">
+                                        @csrf
+                                        <button type="submit" class="btn btn-xs btn-success">
                                             @lang('request.approve')
-                                        </a>
-                                    </span>
-                                    <span class="badge-extra">
-                                        <a href="{{ route('rejectRequest', ['id' => $torrentRequest->id]) }}">
+                                        </button>
+                                    </form>
+                                    <form role="form" method="POST" action="{{ route('rejectRequest', ['id' => $torrentRequest->id]) }}"
+                                          style="display: inline-block;">
+                                        @csrf
+                                        <button type="submit" class="btn btn-xs btn-warning">
                                             @lang('request.reject')
-                                        </a>
-                                    </span>
+                                        </button>
+                                    </form>
                                 </td>
                             </tr>
                             <tr>

diff --git a/resources/views/requests/request_modals.blade.php b/resources/views/requests/request_modals.blade.php
@@ -84,7 +84,7 @@
                         aria-hidden="true">&times;</span></button>
                 <h2><i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i>@lang('request.reset-request')!</h2>
             </div>
-            <form role="form" method="GET" action="{{ route('resetRequest', ['id' => $torrentRequest->id]) }}">
+            <form role="form" method="POST" action="{{ route('resetRequest', ['id' => $torrentRequest->id]) }}">
                 @csrf
                 <div class="modal-body">
                     <p class="text-center">@lang('request.reset-confirmation')?</p>

diff --git a/resources/views/torrent/torrent.blade.php b/resources/views/torrent/torrent.blade.php
@@ -703,10 +703,13 @@ class="btn btn-primary btn-xs" role="button">
 
                                         @if (auth()->user()->group->is_modo)
                                             <div class="torrent-moderation-controls">
-                                                <a href="{{ route('staff.moderation.approve', ['id' => $torrent->id]) }}" role='button'
-                                                class='btn btn-labeled btn-success btn-xs @if ($torrent->isApproved()) disabled @endif'>
-                                                    <i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i> @lang('common.moderation-approve')
-                                                </a>
+                                                <form role="form" method="POST" action="{{ route('staff.moderation.approve', ['id' => $torrent->id]) }}"
+                                                      style="display: inline-block;">
+                                                    @csrf
+                                                    <button type="submit" class="btn btn-labeled btn-xs btn-success @if ($torrent->isApproved()) disabled @endif">
+                                                        <i class="{{ config('other.font-awesome') }} fa-thumbs-up"></i> @lang('common.moderation-approve')
+                                                    </button>
+                                                </form>
 
                                                 <button data-target="#postpone-{{ $torrent->id }}" data-toggle="modal"
                                                         class="btn btn-labeled btn-warning btn-xs @if ($torrent->isPostponed()) disabled @endif">

diff --git a/routes/web.php b/routes/web.php
@@ -241,14 +241,14 @@
             Route::get('/{id}/edit', [App\Http\Controllers\RequestController::class, 'editRequestForm'])->name('edit_request_form');
             Route::post('/{id}/edit', [App\Http\Controllers\RequestController::class, 'editRequest'])->name('edit_request');
             Route::get('/{id}{hash?}', [App\Http\Controllers\RequestController::class, 'request'])->name('request');
-            Route::get('/{id}/accept', [App\Http\Controllers\RequestController::class, 'approveRequest'])->name('approveRequest');
+            Route::post('/{id}/accept', [App\Http\Controllers\RequestController::class, 'approveRequest'])->name('approveRequest');
             Route::post('/{id}/delete', [App\Http\Controllers\RequestController::class, 'deleteRequest'])->name('deleteRequest');
             Route::post('/{id}/fill', [App\Http\Controllers\RequestController::class, 'fillRequest'])->name('fill_request');
-            Route::get('/{id}/reject', [App\Http\Controllers\RequestController::class, 'rejectRequest'])->name('rejectRequest');
+            Route::post('/{id}/reject', [App\Http\Controllers\RequestController::class, 'rejectRequest'])->name('rejectRequest');
             Route::post('/{id}/vote', [App\Http\Controllers\RequestController::class, 'addBonus'])->name('add_votes');
             Route::post('/{id}/claim', [App\Http\Controllers\RequestController::class, 'claimRequest'])->name('claimRequest');
-            Route::get('/{id}/unclaim', [App\Http\Controllers\RequestController::class, 'unclaimRequest'])->name('unclaimRequest');
-            Route::get('/{id}/reset', [App\Http\Controllers\RequestController::class, 'resetRequest'])->name('resetRequest')->middleware('modo');
+            Route::post('/{id}/unclaim', [App\Http\Controllers\RequestController::class, 'unclaimRequest'])->name('unclaimRequest');
+            Route::post('/{id}/reset', [App\Http\Controllers\RequestController::class, 'resetRequest'])->name('resetRequest')->middleware('modo');
         });
 
         // Torrents System
@@ -782,7 +782,7 @@
         Route::group(['prefix' => 'moderation'], function () {
             Route::name('staff.moderation.')->group(function () {
                 Route::get('/', [App\Http\Controllers\Staff\ModerationController::class, 'index'])->name('index');
-                Route::get('/{id}/approve', [App\Http\Controllers\Staff\ModerationController::class, 'approve'])->name('approve');
+                Route::post('/{id}/approve', [App\Http\Controllers\Staff\ModerationController::class, 'approve'])->name('approve');
                 Route::post('/reject', [App\Http\Controllers\Staff\ModerationController::class, 'reject'])->name('reject');
                 Route::post('/postpone', [App\Http\Controllers\Staff\ModerationController::class, 'postpone'])->name('postpone');
             });