security: cross-site request forgery

resources/views/user/user_modals.blade.php

@@ -242,8 +242,13 @@
             <div class="modal-body">
                 <div class="py-3">
                     <div class="text-center">
-                        <a href="{{ route('user_delete', ['username' => $user->username]) }}"><input
-                                class="btn btn-danger" type="submit" value="Yes, Delete"></a>
+                        <form action="{{ route('user_delete', ['username' => $user->username]) }}" method="POST">
+                            @csrf
+                            @method('DELETE')
+                            <button type="submit" class="btn btn-danger">
+                                <i class="{{ config('other.font-awesome') }} fa-trash"></i> @lang('common.delete')
+                            </button>
+                        </form>
                     </div>
                 </div>
             </div>

routes/web.php

@@ -894,7 +894,7 @@
             Route::get('/{username}/settings', [App\Http\Controllers\Staff\UserController::class, 'settings'])->name('user_setting');
             Route::post('/{username}/permissions', [App\Http\Controllers\Staff\UserController::class, 'permissions'])->name('user_permissions');
             Route::post('/{username}/password', [App\Http\Controllers\Staff\UserController::class, 'password'])->name('user_password');
-            Route::get('/{username}/destroy', [App\Http\Controllers\Staff\UserController::class, 'destroy'])->name('user_delete');
+            Route::delete('/{username}/destroy', [App\Http\Controllers\Staff\UserController::class, 'destroy'])->name('user_delete');
             Route::post('/{username}/warn', [App\Http\Controllers\Staff\UserController::class, 'warnUser'])->name('user_warn');
         });