Controller: Add CSRF token validation to development toggle

3 years ago · 9a99c31d47
3 changed files with 37 additions and 22 deletions
--- a/app/controllers/CacheController.php
+++ b/app/controllers/CacheController.php
@ -21,6 +21,7 @@ class CacheController extends PageController {
 		$this->router->service()->config = $config;
 		$this->router->service()->csrfToken = Session::token();
 		$this->router->service()->purgeUrl = $this->url . '/purge';
 		$this->router->service()->toggleUrl = $this->url . '/toggle';
 		parent::view();
 	}
@ -81,7 +82,7 @@ class CacheController extends PageController {
 	public function toggleAction(): void
 	{
-		if (Config::c('CLOUDFLARE_ENABLED') != '1') {
+		if (!$this->validatePostRequest()) {
 			return;
 		}
--- a/app/views/admin/cache.php
+++ b/app/views/admin/cache.php
@ -75,6 +75,7 @@ use \App\Classes\Config;
 			<div class="col-3 col-md-2 col-lg-2 col-xl-2">
 				<div class="d-flex justify-content-center">
 					<input type="checkbox" id="development-mode"
 						data-href="<?= $this->toggleUrl; ?>" data-token="<?= $this->csrfToken; ?>"
 						<?= $this->config['CLOUDFLARE_DEVELOPMENT_MODE_ENABLED'] ? 'checked' : ''; ?>>
 				</div>
 			</div>
--- a/public/js/app.js
+++ b/public/js/app.js
@ -233,13 +233,13 @@ $(document).ready(function() {
 	{
 		event.preventDefault();
 		const purgeType = $(this).attr('data-type');
 		const csrfToken = $(this).attr('data-token');
 		if (!confirm('Are you sure you want to continue?')) {
 			return;
 		}
 		const purgeType = $(this).attr('data-type');
 		const csrfToken = $(this).attr('data-token');
 		$.ajax({
 			url: $(this).attr('href'),
 			type: 'POST',
@ -272,26 +272,39 @@ $(document).ready(function() {
 			return;
 		}
-		$.get('/admin/cache/toggle').done(function(data)
+		const dataHref = $(this).attr('data-href');
-		{
+		const csrfToken = $(this).attr('data-token');
 			const response = JSON.parse(data);
 			if (response.success == false) {
 				console.log(data);
 				alert("Development mode could not be enabled!");
 				return;
 			}
-			if (response.result.value == 'on') {
+		$.ajax({
-				e.target.checked = true;
+			url: dataHref,
-				$('#develop-enabled').css('visibility', 'visible');
+			type: 'POST',
-				$('#develop-remaining').text('03:00:00');
+			data: { _token: csrfToken },
-			}
+			success: function(data)
-			else {
+			{
-				e.target.checked = false;
+				if (data == '') {
-				$('#develop-enabled').css('visibility', 'hidden');
+					alert("Development mode could not be enabled!");
-			}
+					return;
 				}
-			alert("Development mode has been set to: '" + response.result.value + "'");
+				const response = JSON.parse(data);
 				if (response.success == false) {
 					console.log(data);
 					alert("Development mode could not be enabled!");
 					return;
 				}
 				if (response.result.value == 'on') {
 					e.target.checked = true;
 					$('#develop-enabled').css('visibility', 'visible');
 					$('#develop-remaining').text('03:00:00');
 				}
 				else {
 					e.target.checked = false;
 					$('#develop-enabled').css('visibility', 'hidden');
 				}
 				alert("Development mode has been set to: '" + response.result.value + "'");
 			}
 		});
 	});