cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent CSRF bypass unblocking users

Browse source
This commit is contained in:
mmd-osm 2021-02-09 19:46:17 +01:00 committed by Tom Hughes
parent 7810734ac4
commit c49e400aa3
2 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/user_blocks_controller.rb
View file

@ -79,7 +79,7 @@ class UserBlocksController < ApplicationController
## ##
# revokes the block, setting the end_time to now # revokes the block, setting the end_time to now
def revoke def revoke
if params[:confirm] && @user_block.revoke!(current_user) if request.post? && params[:confirm] && @user_block.revoke!(current_user)
flash[:notice] = t ".flash" flash[:notice] = t ".flash"
redirect_to(@user_block) redirect_to(@user_block)
end end

9
test/controllers/user_blocks_controller_test.rb
View file

@ -351,7 +351,14 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest
assert_select "input[type='submit'][value='Revoke!']", :count => 1 assert_select "input[type='submit'][value='Revoke!']", :count => 1
end end
# Check that revoking a block works # Check that revoking a block using GET should fail
get revoke_user_block_path(:id => active_block, :confirm => true)
assert_response :success
assert_template "revoke"
b = UserBlock.find(active_block.id)
assert b.ends_at - Time.now > 100
# Check that revoking a block works using POST
post revoke_user_block_path(:id => active_block, :confirm => true) post revoke_user_block_path(:id => active_block, :confirm => true)
assert_redirected_to user_block_path(active_block) assert_redirected_to user_block_path(active_block)
b = UserBlock.find(active_block.id) b = UserBlock.find(active_block.id)