From a5fa31e053fe9f03b57529bcc5942591e3f1d27c Mon Sep 17 00:00:00 2001
From: Joey Wildman <josephwildman88@gmail.com>
Date: Sat, 30 Apr 2022 16:47:30 -0400
Subject: [PATCH] Make releaseAllGrades, withdrawAllGrades, etc. POST to
 prevent CSRF attacks (#1512)

* clean up commits

* Clean-up HTML

* Centralize protect_from_forgery

Co-authored-by: Damian Ho <damian_ho_xu_yang@yahoo.com>
---
 app/assets/stylesheets/style.css.scss     | 14 ++++++++++++++
 app/controllers/assessments_controller.rb |  2 ++
 app/views/assessments/show.html.erb       | 15 ++++++++-------
 config/routes.rb                          |  6 +++---
 4 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/app/assets/stylesheets/style.css.scss b/app/assets/stylesheets/style.css.scss
index 237f91d9d..f80ad5d8a 100755
--- a/app/assets/stylesheets/style.css.scss
+++ b/app/assets/stylesheets/style.css.scss
@@ -1078,6 +1078,20 @@ form p:last-child {
   padding-left: 14px;
 }
 
+.danger-side input {
+  background: none;
+  border: none;
+  padding-left: 14px;
+  text-decoration: none;
+  color: #0882af;
+  font-family: "Source Sans Pro", sans-serif;
+  font-weight: 300;
+  font-size: 16px;
+  text-align: left;
+  width: 100%;
+  cursor: pointer;
+}
+
 /* Form Tables */
 
 .verticalTable tr {
diff --git a/app/controllers/assessments_controller.rb b/app/controllers/assessments_controller.rb
index da1a29596..e9fdf963a 100755
--- a/app/controllers/assessments_controller.rb
+++ b/app/controllers/assessments_controller.rb
@@ -64,6 +64,8 @@ class AssessmentsController < ApplicationController
   action_auth_level :set_repo, :instructor
   action_auth_level :import_svn, :instructor
 
+  protect_from_forgery with: :exception
+
   def index
     @is_instructor = @cud.has_auth_level? :instructor
     announcements_tmp = Announcement.where("start_date < :now AND end_date > :now",
diff --git a/app/views/assessments/show.html.erb b/app/views/assessments/show.html.erb
index b9479acae..aead65b93 100755
--- a/app/views/assessments/show.html.erb
+++ b/app/views/assessments/show.html.erb
@@ -76,9 +76,11 @@
               <li class="collection-item red-text danger-bottom no-hover"><h4>Danger Zone</h4></li>
 
               <li class="danger-side">
-                <%= link_to "Release all grades", {:action => "releaseAllGrades" }, {:title=>  "Make all scores for this assessment visible to students", :class=>"", data: {confirm: "Are you sure you want to release all grades?"}} %>
-                </li>
-              <li class="danger-side"> <%= link_to "Withdraw all grades", {:action => "withdrawAllGrades" }, {:title=>  "Hide all scores for this assessment from students", data: {confirm: "Are you sure you want to withdraw all grades?"}} %></li>
+                <%= button_to "Release all grades", { :action => "releaseAllGrades" }, { :title=> "Make all scores for this assessment visible to students", data: {confirm: "Are you sure you want to release all grades?"}} %>
+              </li>
+              <li class="danger-side">
+                <%= button_to "Withdraw all grades", { :action => "withdrawAllGrades" }, {:title=> "Hide all scores for this assessment from students", data: {confirm: "Are you sure you want to withdraw all grades?"}} %>
+              </li>
               <li class="danger-side danger-bottom"> <%= link_to "Reload config file", {:action => "reload" }, {:title=> "Reload the assessment config file (provided for backward compatibility with legacy assessments)", data: {confirm: "Are you sure you want to reload the config file?"}} %></li>
             </ul>
           </div>
@@ -104,10 +106,9 @@
               <li class="collection-item red-text danger-bottom no-hover"><h4>Danger Zone</h4></li>
               <li class="danger-side"><%= link_to "Reload config file", url_for(:action => 'reload'),
                 :title=> "Reload the assessment configuration file (provided for backward compatibility with legacy assessments)", data: {confirm: "Are you sure you want to reload the config file?"} %></li>
-              <li class="danger-side danger-bottom"><%= link_to "Release section grades", url_for(:action => 'releaseSectionGrades'),
-                :title=> "Make all scores visible to the students in your section. This will work only if your instructor has assigned you to a lecture and section in your Autolab account.", data: {confirm: "Are you sure you want to release section grades?"} %></li>
-
-
+              <li class="danger-side danger-bottom">
+                <%= button_to "Release section grades", { :action => "releaseSectionGrades" }, { :title=> "Make all scores visible to the students in your section. This will work only if your instructor has assigned you to a lecture and section in your Autolab account.", data: {confirm: "Are you sure you want to release section grades?"}} %>
+              </li>
             </ul>
           </div>
         </li>
diff --git a/config/routes.rb b/config/routes.rb
index b20038c65..95be7278b 100755
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -140,12 +140,12 @@
         match "bulkGrade", via: [:get, :post]
         post "bulkGrade_complete"
         get "bulkExport"
-        get "releaseAllGrades"
-        get "releaseSectionGrades"
+        post "releaseAllGrades"
+        post "releaseSectionGrades"
         get "viewFeedback"
         get "reload"
         get "statistics"
-        get "withdrawAllGrades"
+        post "withdrawAllGrades"
         get "export"
         patch "edit/*active_tab", action: :update
         get "edit/*active_tab", action: :edit