bit-badger/myWebLog
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 11 Activity

Remove CSRF from admin/upload delete endpoints

Browse Source
This commit is contained in:
Daniel J. Summers 2025-07-05 12:07:58 -04:00
parent d1840f63e5
commit 161a61823f
2 changed files with 12 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/MyWebLog/Views/User.fs
View File

@ -144,7 +144,7 @@ let userList (model: WebLogUser list) app =
] ]
if app.UserId.Value <> user.Id then if app.UserId.Value <> user.Id then
span [ _class "text-muted" ] [ raw " &bull; " ] span [ _class "text-muted" ] [ raw " &bull; " ]
a [ _href userUrl; _hxDelete userUrl; _class "text-danger" a [ _href userUrl; _hxDelete userUrl; _hxPushUrl "false"; _class "text-danger"
_hxConfirm $"Are you sure you want to delete the user “{user.PreferredName}”? This action cannot be undone. (This action will not succeed if the user has authored any posts or pages.)" ] [ _hxConfirm $"Are you sure you want to delete the user “{user.PreferredName}”? This action cannot be undone. (This action will not succeed if the user has authored any posts or pages.)" ] [
raw "Delete" raw "Delete"
] ]
@ -186,11 +186,8 @@ let userList (model: WebLogUser list) app =
div [ _class "container g-0" ] [ div [ _class "container g-0" ] [
div [ _class "row mwl-table-detail"; _id "user_new" ] [] div [ _class "row mwl-table-detail"; _id "user_new" ] []
] ]
form [ _method "post"; _class "container g-0"; _hxTarget "#user_panel" List.map userDetail model
_hxSwap $"{HxSwap.OuterHtml} show:window:top" ] [ |> div [ _class "container g-0"; _hxTarget "#user_panel"; _hxSwap $"{HxSwap.OuterHtml} show:window:top" ]
antiCsrf app
yield! List.map userDetail model
]
] ]
] ]
|> List.singleton |> List.singleton

16
src/MyWebLog/Views/WebLog.fs
View File

@ -462,7 +462,7 @@ let redirectList (model: RedirectRule list) app = [
if idx <> model.Length - 1 then if idx <> model.Length - 1 then
actionSpacer; a [ _href $"{ruleUrl}/down"; _hxPost $"{ruleUrl}/down" ] [ raw "Move Down" ] actionSpacer; a [ _href $"{ruleUrl}/down"; _hxPost $"{ruleUrl}/down" ] [ raw "Move Down" ]
actionSpacer actionSpacer
a [ _class "text-danger"; _href ruleUrl; _hxDelete ruleUrl a [ _class "text-danger"; _href ruleUrl; _hxDelete ruleUrl; _hxPushUrl "false"
_hxConfirm "Are you sure you want to delete this redirect rule?" ] [ _hxConfirm "Are you sure you want to delete this redirect rule?" ] [
raw "Delete" raw "Delete"
] ]
@ -499,7 +499,8 @@ let redirectList (model: RedirectRule list) app = [
] ]
div [ _class "row mwl-table-detail"; _id "rule_new" ] [] div [ _class "row mwl-table-detail"; _id "rule_new" ] []
form [ _method "post"; _class "container g-0"; _hxTarget "body" ] [ form [ _method "post"; _class "container g-0"; _hxTarget "body" ] [
antiCsrf app; yield! List.mapi ruleDetail model antiCsrf app
yield! List.mapi ruleDetail model
] ]
] ]
p [ _class "mt-3 text-muted fst-italic text-center" ] [ p [ _class "mt-3 text-muted fst-italic text-center" ] [
@ -553,7 +554,8 @@ let tagMapList (model: TagMap list) app =
_hxSwap $"{HxSwap.InnerHtml} show:#tag_{map.Id}:top" ] [ _hxSwap $"{HxSwap.InnerHtml} show:#tag_{map.Id}:top" ] [
raw "Edit" raw "Edit"
]; actionSpacer ]; actionSpacer
a [ _href url; _hxDelete url; _class "text-danger" a [ _href url; _hxDelete url; _hxTarget "#tagList"; _hxPushUrl "false"; _hxSwap HxSwap.OuterHtml
_class "text-danger"
_hxConfirm $"Are you sure you want to delete the mapping for “{map.Tag}”? This action cannot be undone." ] [ _hxConfirm $"Are you sure you want to delete the mapping for “{map.Tag}”? This action cannot be undone." ] [
raw "Delete" raw "Delete"
] ]
@ -573,12 +575,9 @@ let tagMapList (model: TagMap list) app =
div [ _class "col" ] [ raw "URL Value" ] div [ _class "col" ] [ raw "URL Value" ]
] ]
] ]
form [ _method "post"; _class "container g-0"; _hxTarget "#tagList"; _hxSwap HxSwap.OuterHtml ] [
antiCsrf app
div [ _class "row mwl-table-detail"; _id "tag_new" ] [] div [ _class "row mwl-table-detail"; _id "tag_new" ] []
yield! List.map tagMapDetail model yield! List.map tagMapDetail model
] ]
]
|> List.singleton |> List.singleton
@ -637,8 +636,7 @@ let uploadList (model: DisplayUpload seq) app = [
h2 [ _class "my-3" ] [ raw app.PageTitle ] h2 [ _class "my-3" ] [ raw app.PageTitle ]
article [] [ article [] [
a [ _href (relUrl app "admin/upload/new"); _class "btn btn-primary btn-sm mb-3" ] [ raw "Upload a New File" ] a [ _href (relUrl app "admin/upload/new"); _class "btn btn-primary btn-sm mb-3" ] [ raw "Upload a New File" ]
form [ _method "post"; _class "container"; _hxTarget "body" ] [ div [ _class "container"; _hxTarget "body" ] [
antiCsrf app
div [ _class "row" ] [ div [ _class "row" ] [
div [ _class "col text-center" ] [ div [ _class "col text-center" ] [
em [ _class "text-muted" ] [ raw "Uploaded files served from" ]; br []; raw relativeBase em [ _class "text-muted" ] [ raw "Uploaded files served from" ]; br []; raw relativeBase
@ -726,7 +724,7 @@ let webLogSettings
a [ _href (relUrl app (string feed.Path)); _target "_blank" ] [ raw "View Feed" ] a [ _href (relUrl app (string feed.Path)); _target "_blank" ] [ raw "View Feed" ]
actionSpacer actionSpacer
a [ _href $"{feedUrl}/edit" ] [ raw "Edit" ]; actionSpacer a [ _href $"{feedUrl}/edit" ] [ raw "Edit" ]; actionSpacer
a [ _href feedUrl; _hxDelete feedUrl; _class "text-danger" a [ _href feedUrl; _hxDelete feedUrl; _hxPushUrl "false"; _class "text-danger"
_hxConfirm $"Are you sure you want to delete the custom RSS feed based on {feed.Source}? This action cannot be undone." ] [ _hxConfirm $"Are you sure you want to delete the custom RSS feed based on {feed.Source}? This action cannot be undone." ] [
raw "Delete" raw "Delete"
] ]