Controller: Add CSRF token validation to development toggle

3 years ago · 9a99c31d47
3 changed files with 37 additions and 22 deletions
--- a/app/controllers/CacheController.php
+++ b/app/controllers/CacheController.php
@ -21,6 +21,7 @@ class CacheController extends PageController {
 		$this->router->service()->config = $config;
 		$this->router->service()->csrfToken = Session::token();
 		$this->router->service()->purgeUrl = $this->url . '/purge';
+		$this->router->service()->toggleUrl = $this->url . '/toggle';
 		parent::view();
 	}

@ -81,7 +82,7 @@ class CacheController extends PageController {

 	public function toggleAction(): void
 	{
-		if (Config::c('CLOUDFLARE_ENABLED') != '1') {
+		if (!$this->validatePostRequest()) {
 			return;
 		}

--- a/app/views/admin/cache.php
+++ b/app/views/admin/cache.php
@ -75,6 +75,7 @@ use \App\Classes\Config;
 			<div class="col-3 col-md-2 col-lg-2 col-xl-2">
 				<div class="d-flex justify-content-center">
 					<input type="checkbox" id="development-mode"
+						data-href="<?= $this->toggleUrl; ?>" data-token="<?= $this->csrfToken; ?>"
 						<?= $this->config['CLOUDFLARE_DEVELOPMENT_MODE_ENABLED'] ? 'checked' : ''; ?>>
 				</div>
 			</div>
--- a/public/js/app.js
+++ b/public/js/app.js
@ -233,13 +233,13 @@ $(document).ready(function() {
 	{
 		event.preventDefault();

-		const purgeType = $(this).attr('data-type');
-		const csrfToken = $(this).attr('data-token');
-
 		if (!confirm('Are you sure you want to continue?')) {
 			return;
 		}

+		const purgeType = $(this).attr('data-type');
+		const csrfToken = $(this).attr('data-token');
+
 		$.ajax({
 			url: $(this).attr('href'),
 			type: 'POST',
@ -272,26 +272,39 @@ $(document).ready(function() {
 			return;
 		}

-		$.get('/admin/cache/toggle').done(function(data)
-		{
-			const response = JSON.parse(data);
-			if (response.success == false) {
-				console.log(data);
-				alert("Development mode could not be enabled!");
-				return;
-			}
+		const dataHref = $(this).attr('data-href');
+		const csrfToken = $(this).attr('data-token');

-			if (response.result.value == 'on') {
-				e.target.checked = true;
-				$('#develop-enabled').css('visibility', 'visible');
-				$('#develop-remaining').text('03:00:00');
-			}
-			else {
-				e.target.checked = false;
-				$('#develop-enabled').css('visibility', 'hidden');
-			}
+		$.ajax({
+			url: dataHref,
+			type: 'POST',
+			data: { _token: csrfToken },
+			success: function(data)
+			{
+				if (data == '') {
+					alert("Development mode could not be enabled!");
+					return;
+				}

-			alert("Development mode has been set to: '" + response.result.value + "'");
+				const response = JSON.parse(data);
+				if (response.success == false) {
+					console.log(data);
+					alert("Development mode could not be enabled!");
+					return;
+				}
+
+				if (response.result.value == 'on') {
+					e.target.checked = true;
+					$('#develop-enabled').css('visibility', 'visible');
+					$('#develop-remaining').text('03:00:00');
+				}
+				else {
+					e.target.checked = false;
+					$('#develop-enabled').css('visibility', 'hidden');
+				}
+
+				alert("Development mode has been set to: '" + response.result.value + "'");
+			}
 		});
 	});