admin: avoid CSRF: use POST instead of GET, mainly for synchronisation methods

2018-01-06 15:08:05 +01:00 · 2018-01-06 15:08:05 +01:00 · 87428909b2
commit 87428909b2
parent 9a1a64c41c
4 changed files with 18 additions and 18 deletions
--- a/admin/api/certificate.go
+++ b/admin/api/certificate.go
@ -23,7 +23,7 @@ func init() {
 	router.GET("/api/teams/:tid/certificate.p12", apiHandler(teamHandler(GetTeamCertificate)))
 	router.DELETE("/api/teams/:tid/certificate.p12", apiHandler(teamHandler(
 		func(team fic.Team, _ []byte) (interface{}, error) { return team.RevokeCert() })))
-	router.GET("/api/teams/:tid/certificate/generate", apiHandler(teamHandler(
+	router.POST("/api/teams/:tid/certificate/generate", apiHandler(teamHandler(
 		func(team fic.Team, _ []byte) (interface{}, error) { return team.GenerateCert() })))
 }
--- a/admin/api/exercice.go
+++ b/admin/api/exercice.go
@ -42,13 +42,13 @@ func init() {
 	// Synchronize
-	router.GET("/api/sync/exercices/:eid/files", apiHandler(exerciceHandler(
+	router.POST("/api/sync/exercices/:eid/files", apiHandler(exerciceHandler(
 		func(exercice fic.Exercice, _ []byte) (interface{}, error) { return sync.SyncExerciceFiles(sync.GlobalImporter, exercice), nil })))
-	router.GET("/api/sync/exercices/:eid/hints", apiHandler(exerciceHandler(
+	router.POST("/api/sync/exercices/:eid/hints", apiHandler(exerciceHandler(
 		func(exercice fic.Exercice, _ []byte) (interface{}, error) { return sync.SyncExerciceHints(sync.GlobalImporter, exercice), nil })))
-	router.GET("/api/sync/exercices/:eid/keys", apiHandler(exerciceHandler(
+	router.POST("/api/sync/exercices/:eid/keys", apiHandler(exerciceHandler(
 		func(exercice fic.Exercice, _ []byte) (interface{}, error) { return sync.SyncExerciceKeys(sync.GlobalImporter, exercice), nil })))
-	router.GET("/api/sync/exercices/:eid/quiz", apiHandler(exerciceHandler(
+	router.POST("/api/sync/exercices/:eid/quiz", apiHandler(exerciceHandler(
 		func(exercice fic.Exercice, _ []byte) (interface{}, error) { return sync.SyncExerciceMCQ(sync.GlobalImporter, exercice), nil })))
 }
--- a/admin/api/theme.go
+++ b/admin/api/theme.go
@ -45,19 +45,19 @@ func init() {
 	router.GET("/api/remote/themes/:thid/exercices", apiHandler(themeHandler(sync.ApiListRemoteExercices)))
 	// Synchronize
-	router.GET("/api/sync/deep", apiHandler(
+	router.POST("/api/sync/deep", apiHandler(
 		func(_ httprouter.Params, _ []byte) (interface{}, error) { return sync.SyncDeep(sync.GlobalImporter), nil }))
-	router.GET("/api/sync/themes", apiHandler(
+	router.POST("/api/sync/themes", apiHandler(
 		func(_ httprouter.Params, _ []byte) (interface{}, error) { return sync.SyncThemes(sync.GlobalImporter), nil }))
-	router.GET("/api/sync/themes/:thid/exercices", apiHandler(themeHandler(
+	router.POST("/api/sync/themes/:thid/exercices", apiHandler(themeHandler(
 		func(theme fic.Theme, _ []byte) (interface{}, error) { return sync.SyncExercices(sync.GlobalImporter, theme), nil })))
-	router.GET("/api/sync/themes/:thid/exercices/:eid/files", apiHandler(exerciceHandler(
+	router.POST("/api/sync/themes/:thid/exercices/:eid/files", apiHandler(exerciceHandler(
 		func(exercice fic.Exercice, _ []byte) (interface{}, error) { return sync.SyncExerciceFiles(sync.GlobalImporter, exercice), nil })))
-	router.GET("/api/sync/themes/:thid/exercices/:eid/hints", apiHandler(exerciceHandler(
+	router.POST("/api/sync/themes/:thid/exercices/:eid/hints", apiHandler(exerciceHandler(
 		func(exercice fic.Exercice, _ []byte) (interface{}, error) { return sync.SyncExerciceHints(sync.GlobalImporter, exercice), nil })))
-	router.GET("/api/sync/themes/:thid/exercices/:eid/keys", apiHandler(exerciceHandler(
+	router.POST("/api/sync/themes/:thid/exercices/:eid/keys", apiHandler(exerciceHandler(
 		func(exercice fic.Exercice, _ []byte) (interface{}, error) { return sync.SyncExerciceKeys(sync.GlobalImporter, exercice), nil })))
-	router.GET("/api/sync/themes/:thid/exercices/:eid/quiz", apiHandler(exerciceHandler(
+	router.POST("/api/sync/themes/:thid/exercices/:eid/quiz", apiHandler(exerciceHandler(
 		func(exercice fic.Exercice, _ []byte) (interface{}, error) { return sync.SyncExerciceMCQ(sync.GlobalImporter, exercice), nil })))
 }
--- a/admin/static/js/app.js
+++ b/admin/static/js/app.js
@ -616,7 +616,7 @@ angular.module("FICApp")
 	    $scope.inSync = true;
 	    $http({
 		url: "/api/sync/themes",
-		method: "GET"
+		method: "POST"
 	    }).then(function(response) {
 		$scope.inSync = false;
 		$scope.themes = Theme.query();
@ -651,7 +651,7 @@ angular.module("FICApp")
 	    $scope.inSync = true;
 	    $http({
 		url: "/api/sync/themes/" + $scope.theme.id + "/exercices",
-		method: "GET"
+		method: "POST"
 	    }).then(function(response) {
 		$scope.inSync = false;
 		$scope.theme = Theme.get({ themeId: $routeParams.themeId });
@ -760,7 +760,7 @@ angular.module("FICApp")
 	    $scope.inSync = true;
 	    $http({
 		url: "/api/sync/exercices/" + $routeParams.exerciceId + "/files",
-		method: "GET"
+		method: "POST"
 	    }).then(function(response) {
 		$scope.inSync = false;
 		$scope.files = ExerciceFile.query({ exerciceId: $routeParams.exerciceId });
@ -798,7 +798,7 @@ angular.module("FICApp")
 	    $scope.inSync = true;
 	    $http({
 		url: "/api/sync/exercices/" + $routeParams.exerciceId + "/hints",
-		method: "GET"
+		method: "POST"
 	    }).then(function(response) {
 		$scope.inSync = false;
 		$scope.hints = ExerciceHint.query({ exerciceId: $routeParams.exerciceId });
@ -836,7 +836,7 @@ angular.module("FICApp")
 	    $scope.inSync = true;
 	    $http({
 		url: "/api/sync/exercices/" + $routeParams.exerciceId + "/keys",
-		method: "GET"
+		method: "POST"
 	    }).then(function(response) {
 		$scope.inSync = false;
 		$scope.keys = ExerciceKey.query({ exerciceId: $routeParams.exerciceId });
@ -900,7 +900,7 @@ angular.module("FICApp")
 	$scope.generateCertificate = function() {
 	    $http({
 		url: "/api/teams/" + Math.floor($routeParams.teamId) + "/certificate/generate",
-		method: "GET",
+		method: "POST",
 		transformResponse: null
 	    }).then(function(response) {
 		$scope.hasCertificate = true;