security: cross-site request forgery

HDInnovations · Sep 23, 2021 · 1e8975b · 1e8975b
1 parent 0ceb9ce
commit 1e8975b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/resources/views/user/buttons/profile.blade.php b/resources/views/user/buttons/profile.blade.php
@@ -21,9 +21,12 @@
                     <i class='{{ config('other.font-awesome') }} fa-lock'></i> @lang('user.go-private')
                 </a>
             @else
-                <a href="{{ route('user_public', ['username' => $user->username]) }}" class="btn btn-sm btn-success">
-                    <i class='{{ config('other.font-awesome') }} fa-lock-open'></i> @lang('user.go-public')
-                </a>
+                <form role="form" method="POST" action="{{ route('user_public', ['username' => $user->username]) }}" style="display: inline-block;">
+                    @csrf
+                    <button type="submit" class="btn btn-sm btn-success">
+                        <i class='{{ config('other.font-awesome') }} fa-lock-open'></i> @lang('user.go-public')
+                    </button>
+                </form>
             @endif
             @if((auth()->user()->block_notifications == 0 || auth()->user()->block_notifications == 0))
                 <a href="{{ route('notification_disable', ['username' => $user->username]) }}" class="btn btn-sm btn-danger">

diff --git a/routes/web.php b/routes/web.php
@@ -344,7 +344,7 @@
             Route::post('/{username}/settings/hidden', [App\Http\Controllers\UserController::class, 'makeHidden'])->name('user_hidden');
             Route::post('/{username}/settings/visible', [App\Http\Controllers\UserController::class, 'makeVisible'])->name('user_visible');
             Route::get('/{username}/settings/private', [App\Http\Controllers\UserController::class, 'makePrivate'])->name('user_private');
-            Route::get('/{username}/settings/public', [App\Http\Controllers\UserController::class, 'makePublic'])->name('user_public');
+            Route::post('/{username}/settings/public', [App\Http\Controllers\UserController::class, 'makePublic'])->name('user_public');
             Route::post('/accept-rules', [App\Http\Controllers\UserController::class, 'acceptRules'])->name('accept.rules');
             Route::get('/{username}/seedboxes', [App\Http\Controllers\SeedboxController::class, 'index'])->name('seedboxes.index');
             Route::post('/{username}/seedboxes', [App\Http\Controllers\SeedboxController::class, 'store'])->name('seedboxes.store');