Make releaseAllGrades, withdrawAllGrades, etc. POST to prevent CSRF a…

…ttacks (#1512) * clean up commits * Clean-up HTML * Centralize protect_from_forgery Co-authored-by: Damian Ho <damian_ho_xu_yang@yahoo.com>
autolab · Apr 30, 2022 · a5fa31e · a5fa31e
1 parent da1689c
commit a5fa31e
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 10 deletions.
diff --git a/app/assets/stylesheets/style.css.scss b/app/assets/stylesheets/style.css.scss
@@ -1078,6 +1078,20 @@ form p:last-child {
   padding-left: 14px;
 }
 
+.danger-side input {
+  background: none;
+  border: none;
+  padding-left: 14px;
+  text-decoration: none;
+  color: #0882af;
+  font-family: "Source Sans Pro", sans-serif;
+  font-weight: 300;
+  font-size: 16px;
+  text-align: left;
+  width: 100%;
+  cursor: pointer;
+}
+
 /* Form Tables */
 
 .verticalTable tr {

diff --git a/app/controllers/assessments_controller.rb b/app/controllers/assessments_controller.rb
@@ -64,6 +64,8 @@ class AssessmentsController < ApplicationController
   action_auth_level :set_repo, :instructor
   action_auth_level :import_svn, :instructor
 
+  protect_from_forgery with: :exception
+
   def index
     @is_instructor = @cud.has_auth_level? :instructor
     announcements_tmp = Announcement.where("start_date < :now AND end_date > :now",

diff --git a/app/views/assessments/show.html.erb b/app/views/assessments/show.html.erb
@@ -76,9 +76,11 @@
               <li class="collection-item red-text danger-bottom no-hover"><h4>Danger Zone</h4></li>
 
               <li class="danger-side">
-                <%= link_to "Release all grades", {:action => "releaseAllGrades" }, {:title=>  "Make all scores for this assessment visible to students", :class=>"", data: {confirm: "Are you sure you want to release all grades?"}} %>
-                </li>
-              <li class="danger-side"> <%= link_to "Withdraw all grades", {:action => "withdrawAllGrades" }, {:title=>  "Hide all scores for this assessment from students", data: {confirm: "Are you sure you want to withdraw all grades?"}} %></li>
+                <%= button_to "Release all grades", { :action => "releaseAllGrades" }, { :title=> "Make all scores for this assessment visible to students", data: {confirm: "Are you sure you want to release all grades?"}} %>
+              </li>
+              <li class="danger-side">
+                <%= button_to "Withdraw all grades", { :action => "withdrawAllGrades" }, {:title=> "Hide all scores for this assessment from students", data: {confirm: "Are you sure you want to withdraw all grades?"}} %>
+              </li>
               <li class="danger-side danger-bottom"> <%= link_to "Reload config file", {:action => "reload" }, {:title=> "Reload the assessment config file (provided for backward compatibility with legacy assessments)", data: {confirm: "Are you sure you want to reload the config file?"}} %></li>
             </ul>
           </div>
@@ -104,10 +106,9 @@
               <li class="collection-item red-text danger-bottom no-hover"><h4>Danger Zone</h4></li>
               <li class="danger-side"><%= link_to "Reload config file", url_for(:action => 'reload'),
                 :title=> "Reload the assessment configuration file (provided for backward compatibility with legacy assessments)", data: {confirm: "Are you sure you want to reload the config file?"} %></li>
-              <li class="danger-side danger-bottom"><%= link_to "Release section grades", url_for(:action => 'releaseSectionGrades'),
-                :title=> "Make all scores visible to the students in your section. This will work only if your instructor has assigned you to a lecture and section in your Autolab account.", data: {confirm: "Are you sure you want to release section grades?"} %></li>
-
-
+              <li class="danger-side danger-bottom">
+                <%= button_to "Release section grades", { :action => "releaseSectionGrades" }, { :title=> "Make all scores visible to the students in your section. This will work only if your instructor has assigned you to a lecture and section in your Autolab account.", data: {confirm: "Are you sure you want to release section grades?"}} %>
+              </li>
             </ul>
           </div>
         </li>

diff --git a/config/routes.rb b/config/routes.rb
@@ -140,12 +140,12 @@
         match "bulkGrade", via: [:get, :post]
         post "bulkGrade_complete"
         get "bulkExport"
-        get "releaseAllGrades"
-        get "releaseSectionGrades"
+        post "releaseAllGrades"
+        post "releaseSectionGrades"
         get "viewFeedback"
         get "reload"
         get "statistics"
-        get "withdrawAllGrades"
+        post "withdrawAllGrades"
         get "export"
         patch "edit/*active_tab", action: :update
         get "edit/*active_tab", action: :edit