Public_Tools/wavelog
2
0
Fork 0
mirror of https://github.com/wavelog/wavelog.git synced 2026-03-22 10:24:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

convert API generate/delete actions to POST-only to mitigate GET-based CSRF

Browse Source
This commit is contained in:
int2001
2026-03-16 07:44:08 +00:00
parent 061c7af448
commit 5734419e78
2 changed files with 44 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
application/controllers/Api.php
View File

@@ -83,14 +83,23 @@ class API extends CI_Controller {
}
function generate($rights) {
function generate() {
// CSRF mitigation: reject non-POST requests
if ($this->input->method() !== 'post') {
$this->session->set_flashdata('error', __("Invalid request method"));
redirect('api');
return;
}
$this->load->model('user_model');
if(!$this->user_model->authorize(3)) { $this->session->set_flashdata('error', __("You're not allowed to do that!")); redirect('dashboard'); }
$rights = $this->input->post('rights', TRUE);
if ($rights !== "r" && $rights !== "rw") {
$this->session->set_flashdata('error', __("Invalid API rights"));
redirect('api');
exit;
return;
}
$this->load->model('api_model');
@@ -109,10 +118,23 @@ class API extends CI_Controller {
redirect('api');
}
function delete($key) {
function delete() {
// CSRF mitigation: reject non-POST requests
if ($this->input->method() !== 'post') {
$this->session->set_flashdata('error', __("Invalid request method"));
redirect('api');
return;
}
$this->load->model('user_model');
if(!$this->user_model->authorize(3)) { $this->session->set_flashdata('error', __("You're not allowed to do that!")); redirect('dashboard'); }
$key = $this->input->post('key', TRUE);
if (empty($key)) {
$this->session->set_flashdata('error', __("Invalid API Key"));
redirect('api');
return;
}
$this->load->model('api_model');

22
application/views/api/index.php
View File

@@ -78,7 +78,13 @@
<?php
$cfnm_delete = sprintf(__("Are you sure you want delete the API Key %s?"), '&quot;'.($row->description ?? '<noname>').'&quot;');
?>
<a href="<?php echo site_url('api/delete/' . $api_key); ?>" class="btn btn-danger btn-sm" onclick="return confirm('<?php echo $cfnm_delete; ?>');"><?= __("Delete"); ?></a>
<form method="post" action="<?php echo site_url('api/delete'); ?>" style="display:inline;">
<input type="hidden" name="key" value="<?php echo $api_key; ?>">
<button type="submit" class="btn btn-danger btn-sm"
onclick="return confirm('<?php echo $cfnm_delete; ?>');">
<?= __("Delete"); ?>
</button>
</form>
<?php } ?>
</td>
@@ -93,8 +99,18 @@
<?php } ?>
<p>
<a href="<?php echo site_url('api/generate/rw'); ?>" class="btn btn-primary "><i class="fas fa-plus"></i> <?= __("Create a read & write key"); ?></a>
<a href="<?php echo site_url('api/generate/r'); ?>" class="btn btn-primary"><i class="fas fa-plus"></i> <?= __("Create a read-only key"); ?></a>
<form method="post" action="<?php echo site_url('api/generate'); ?>" style="display:inline;">
<input type="hidden" name="rights" value="rw">
<button type="submit" class="btn btn-primary">
<i class="fas fa-plus"></i> <?= __("Create a read & write key"); ?>
</button>
</form>
<form method="post" action="<?php echo site_url('api/generate'); ?>" style="display:inline;">
<input type="hidden" name="rights" value="r">
<button type="submit" class="btn btn-primary">
<i class="fas fa-plus"></i> <?= __("Create a read-only key"); ?>
</button>
</form>
</p>
</div>