Commit 59a7375a authored by Luke Ward's avatar Luke Ward
Browse files

Follow and unfollow thread CSRF protection #14

parent 7cc95353
......@@ -286,6 +286,29 @@
$this->skipRemaining();
});
/*
* Follow thread
*/
$this->respond('GET', '/[:thread]/[follow|unfollow:action]', function ($request, $response, $service, $app) {
return $app->DtW->tmpl->render('csrf-confirm.twig', array('action' => ($request->action === 'follow' ? 'follow' : 'unfollow') . ' a thread'));
});
$this->respond('POST', '/[:thread]/[follow|unfollow:action]', function ($request, $response, $service, $app) {
$app->DtW->user->isAuth($response);
try {
$thread = $app->DtW->discussions->getThread($request->thread);
$thread->isFollowing($request->action === 'follow');
} catch (Exception $e) {
var_dump($e);
die();
\dtw\utils\Flash::add($e->getMessage(), 'error');
}
$response->redirect('/discussion/' . $request->thread)->send();
$this->skipRemaining();
});
/*
* Delete thread
*/
......
......@@ -5,14 +5,16 @@
{% block content %}
<div id="content" class="container">
<div class="block">
<h1>Request error</h1>
<p>There was an error with the request. This might be because your sessions timed out or you have JS disabled. If you are sure you wanted to "{{ action }}" click the submit button below.</p>
<p>If you think this page was shown in error please close this page and contact us if you think there was malicious intent.</p>
<div class="block-content">
<h1>Request error</h1>
<p>There was an error with the request. This might be because your sessions timed out or you have JS disabled. If you are sure you wanted to "{{ action }}" click the submit button below.</p>
<p>If you think this page was shown in error please close this page and contact us if you think there was malicious intent.</p>
<form method="POST">
<input type="hidden" name="token" value="{{ CSRFtoken }}"/>
<button type="submit" class='button button--warning button--main'>Submit</button>
</form>
<form method="POST">
<input type="hidden" name="token" value="{{ CSRFtoken }}"/>
<button type="submit" class='button button--warning button--main'>Submit</button>
</form>
</div>
</div>
</div>
{% endblock %}
\ No newline at end of file
......@@ -9,7 +9,20 @@
<div class="twelve columns discussion-thread" data-thread-id="{{ thread.id }}">
{% include 'includes/flash.twig' %}
<h1>{{ thread.title }}</h1>
<div class="discussion-thread-title">
<div class="button-group right">
<a href="{{ thread.permalink }}/{{ thread.isFollowing() ? 'unfollow' : 'follow' }}" class="button discussion-thread-subscribe {{ thread.isFollowing() ? 'discussion-thread-subscribe--following button--warning' : '' }}" csrf>
{{ thread.isFollowing() ? 'Following' : 'Follow' }}
<i class="fas fa-{{ thread.isFollowing() ? 'check' : 'bell' }}" aria-hidden="true"></i>
</a>
</div>
<h1>{{ thread.title }}</h1>
{% if thread.level_id %}
{% set level = getLevel(thread.level_id) %}
<h3>{{ level.getLink()|raw }}</h3>
{% endif %}
</div>
{% for post in thread.posts|slice(0, 1) %}
{% include 'discussions/post.twig' %}
{% endfor %}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment