From 83565046c38c7f2f026b16f04e99c35136a05573 Mon Sep 17 00:00:00 2001
From: HDVinnie <hdinnovations@protonmail.com>
Date: Mon, 13 Dec 2021 19:03:31 -0500
Subject: [PATCH] security: cross-site request forgery

---
 resources/views/user/user_modals.blade.php | 9 +++++++--
 routes/web.php                             | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/resources/views/user/user_modals.blade.php b/resources/views/user/user_modals.blade.php
index f3db46cb48..9da1ce2c7b 100644
--- a/resources/views/user/user_modals.blade.php
+++ b/resources/views/user/user_modals.blade.php
@@ -242,8 +242,13 @@
             <div class="modal-body">
                 <div class="py-3">
                     <div class="text-center">
-                        <a href="{{ route('user_delete', ['username' => $user->username]) }}"><input
-                                class="btn btn-danger" type="submit" value="Yes, Delete"></a>
+                        <form action="{{ route('user_delete', ['username' => $user->username]) }}" method="POST">
+                            @csrf
+                            @method('DELETE')
+                            <button type="submit" class="btn btn-danger">
+                                <i class="{{ config('other.font-awesome') }} fa-trash"></i> @lang('common.delete')
+                            </button>
+                        </form>
                     </div>
                 </div>
             </div>
diff --git a/routes/web.php b/routes/web.php
index b66b5d8bd6..4599f3bd0f 100755
--- a/routes/web.php
+++ b/routes/web.php
@@ -894,7 +894,7 @@
             Route::get('/{username}/settings', [App\Http\Controllers\Staff\UserController::class, 'settings'])->name('user_setting');
             Route::post('/{username}/permissions', [App\Http\Controllers\Staff\UserController::class, 'permissions'])->name('user_permissions');
             Route::post('/{username}/password', [App\Http\Controllers\Staff\UserController::class, 'password'])->name('user_password');
-            Route::get('/{username}/destroy', [App\Http\Controllers\Staff\UserController::class, 'destroy'])->name('user_delete');
+            Route::delete('/{username}/destroy', [App\Http\Controllers\Staff\UserController::class, 'destroy'])->name('user_delete');
             Route::post('/{username}/warn', [App\Http\Controllers\Staff\UserController::class, 'warnUser'])->name('user_warn');
         });