security: cross-site request forgery

- huntr
HDInnovations · Nov 15, 2021 · 33f4901 · 33f4901
1 parent 804c4c6
commit 33f4901
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 22 deletions.
diff --git a/resources/views/user/warninglog.blade.php b/resources/views/user/warninglog.blade.php
@@ -29,19 +29,19 @@
                             <strong>@lang('user.warnings') {{ $warningcount }} </strong>
                         </span>
                         <div class="pull-right">
-                            <form action="{{ route('massDeleteWarnings', ['username' => $user->username]) }}" method="POST">
+                            <form role="form" method="POST" action="{{ route('massDeactivateWarnings', ['username' => $user->username]) }}"
+                                  style="display: inline-block;">
+                                @csrf
+                                <button type="submit" class="btn btn-xs btn-warning">
+                                    <i class="{{ config('other.font-awesome') }} fa-power-off"></i> @lang('user.deactivate-all')
+                                </button>
+                            </form>
+                            <form role="form" action="{{ route('massDeleteWarnings', ['username' => $user->username]) }}" method="POST"
+                                  style="display: inline-block;">
                                 @csrf
                                 @method('DELETE')
-                                <a href="{{ route('massDeactivateWarnings', ['username' => $user->username]) }}">
-                                    <button type="button" class="btn btn btn-success" data-toggle="tooltip"
-                                        data-original-title="@lang('user.deactivate-all')">
-                                        <i class="{{ config('other.font-awesome') }} fa-check"></i>
-                                        @lang('user.deactivate-all')
-                                    </button>
-                                </a>
-                                <button type="submit" class="btn btn btn-danger" data-toggle="tooltip"
-                                    data-original-title="@lang('user.delete-all')">
-                                    <i class="{{ config('other.font-awesome') }} fa-times"></i>@lang('user.delete-all')
+                                <button type="submit" class="btn btn-xs btn-danger">
+                                    <i class="{{ config('other.font-awesome') }} fa-trash"></i> @lang('user.delete-all')
                                 </button>
                             </form>
                         </div>
@@ -97,10 +97,12 @@
                                                 @endif
                                             </td>
                                             <td>
-                                                <a href="{{ route('deactivateWarning', ['id' => $warning->id]) }}"
-                                        class="btn btn-xs btn-warning" @if ($warning->active == 0) disabled @endif>
-                                                    <i class="{{ config('other.font-awesome') }} fa-power-off"></i>
-                                                </a>
+                                                <form role="form" method="POST" action="{{ route('deactivateWarning', ['id' => $warning->id]) }}">
+                                                    @csrf
+                                                    <button type="submit" class="btn btn-xs btn-warning  @if ($warning->active == 0) disabled @endif">
+                                                        <i class="{{ config('other.font-awesome') }} fa-power-off"></i>
+                                                    </button>
+                                                </form>
                                             </td>
                                             <td>
                                                 <form action="{{ route('deleteWarning', ['id' => $warning->id]) }}" method="POST">
@@ -183,10 +185,12 @@ class="btn btn-xs btn-warning" @if ($warning->active == 0) disabled @endif>
                                                 </a>
                                             </td>
                                             <td>
-                                                <a href="{{ route('restoreWarning', ['id' => $softDeletedWarning->id]) }}"
-                                                    class="btn btn-xs btn-info">
-                                                    <i class="{{ config('other.font-awesome') }} fa-sync-alt"></i>
-                                                </a>
+                                                <form role="form" method="POST" action="{{ route('restoreWarning', ['id' => $softDeletedWarning->id]) }}">
+                                                    @csrf
+                                                    <button type="submit" class="btn btn-xs btn-info  @if ($warning->active == 0) disabled @endif">
+                                                        <i class="{{ config('other.font-awesome') }} fa-trash-restore"></i>
+                                                    </button>
+                                                </form>
                                             </td>
                                         </tr>
                                     @endforeach

diff --git a/routes/web.php b/routes/web.php
@@ -282,11 +282,11 @@
 
         // Warnings System
         Route::group(['prefix' => 'warnings'], function () {
-            Route::get('/{id}/deactivate', [App\Http\Controllers\WarningController::class, 'deactivate'])->name('deactivateWarning');
-            Route::get('/{username}/mass-deactivate', [App\Http\Controllers\WarningController::class, 'deactivateAllWarnings'])->name('massDeactivateWarnings');
+            Route::post('/{id}/deactivate', [App\Http\Controllers\WarningController::class, 'deactivate'])->name('deactivateWarning');
+            Route::post('/{username}/mass-deactivate', [App\Http\Controllers\WarningController::class, 'deactivateAllWarnings'])->name('massDeactivateWarnings');
             Route::delete('/{id}', [App\Http\Controllers\WarningController::class, 'deleteWarning'])->name('deleteWarning');
             Route::delete('/{username}/mass-delete', [App\Http\Controllers\WarningController::class, 'deleteAllWarnings'])->name('massDeleteWarnings');
-            Route::get('/{id}/restore', [App\Http\Controllers\WarningController::class, 'restoreWarning'])->name('restoreWarning');
+            Route::post('/{id}/restore', [App\Http\Controllers\WarningController::class, 'restoreWarning'])->name('restoreWarning');
             Route::get('/{username}', [App\Http\Controllers\WarningController::class, 'show'])->name('warnings.show');
         });