Commit 900fb2e3 authored by Luke Ward's avatar Luke Ward
Browse files

Moderator actions CSRF protection #14

parent 59a7375a
......@@ -61,6 +61,28 @@
'Discussions' => '/moderation/discussions'
);
try {
$item = $discussions->getFlag($request->queue, $request->flag);
} catch (Exception $e) {
$service->refresh();
$response->send();
$this->skipRemaining();
}
$showFullThread = isset($_GET['full']);
return $app->DtW->tmpl->render('moderation/discussion.twig', array('breadcrumb' => $breadcrumb, 'item' => $item, 'fullThread' => $showFullThread));
});
$this->respond('POST', '/discussions/[:queue]/[:flag]', function($request, $response, $service, $app) {
try {
$discussions = new \dtw\moderation\Discussions();
} catch (Exception $e) {
$this->skipRemaining();
return;
}
if (isset($_GET['action'])) {
try {
$item = $discussions->handleFlagAction($request->queue, $request->flag, $_GET['action']);
......@@ -77,19 +99,6 @@
$response->send();
$this->skipRemaining();
}
try {
$item = $discussions->getFlag($request->queue, $request->flag);
} catch (Exception $e) {
$service->refresh();
$response->send();
$this->skipRemaining();
}
$showFullThread = isset($_GET['full']);
return $app->DtW->tmpl->render('moderation/discussion.twig', array('breadcrumb' => $breadcrumb, 'item' => $item, 'fullThread' => $showFullThread));
});
/*
......
......@@ -44,10 +44,10 @@
{% elseif item.flag.response %}
<p style="margin-top: 0">You voted to: <strong>{{ item.flag.response }}</strong></p>
{% else %}
<a href='?action=dismiss' class="button button--main">Looks ok</a>
<a href='?action=escalate' class="button button--main">Escalate</a>
<a href='?action=delete' class="button button--main button--warning">Delete</a>
<a href='?action=skip' class="button button--main right">Skip</a>
<a href='?action=dismiss' class="button button--main" csrf>Looks ok</a>
<a href='?action=escalate' class="button button--main" csrf>Escalate</a>
<a href='?action=delete' class="button button--main button--warning" csrf>Delete</a>
<a href='?action=skip' class="button button--main right" csrf>Skip</a>
{% endif %}
{% if item.flag.comment %}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment