diff options
| author | Igor Scheller <igor.scheller@igorshp.de> | 2018-11-20 16:02:03 +0100 |
|---|---|---|
| committer | msquare <msquare@notrademark.de> | 2018-11-21 19:24:36 +0100 |
| commit | 944c29b96429ec95ac1371cb33cc43704a60c7b1 (patch) | |
| tree | 7be99e68d8c15fc7e210a4b3ccc44861a8d1de64 /includes/view/ShiftEntry_view.php | |
| parent | fd37c9d60ea818dc9a562fa88ff5f9a50132506f (diff) | |
Require POST for sending forms
* Ensure that the form is submitted with a post request
* Replaced several links with forms
Closes #494 (Security Vulnerability)
Diffstat (limited to 'includes/view/ShiftEntry_view.php')
| -rw-r--r-- | includes/view/ShiftEntry_view.php | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/includes/view/ShiftEntry_view.php b/includes/view/ShiftEntry_view.php index 5d4364f5..26e9896d 100644 --- a/includes/view/ShiftEntry_view.php +++ b/includes/view/ShiftEntry_view.php @@ -5,14 +5,13 @@ use Engelsystem\Models\User\User; /** * Sign off from an user from a shift with admin permissions, asking for ack. * - * @param array $shiftEntry * @param array $shift * @param array $angeltype * @param User $signoff_user * * @return string HTML */ -function ShiftEntry_delete_view_admin($shiftEntry, $shift, $angeltype, $signoff_user) +function ShiftEntry_delete_view_admin($shift, $angeltype, $signoff_user) { return page_with_title(ShiftEntry_delete_title(), [ info(sprintf( @@ -23,26 +22,25 @@ function ShiftEntry_delete_view_admin($shiftEntry, $shift, $angeltype, $signoff_ date('Y-m-d H:i', $shift['end']), $angeltype['name'] ), true), - buttons([ - button(user_link($signoff_user->id), glyph('remove') . __('cancel')), - button(shift_entry_delete_link($shiftEntry, [ - 'continue' => 1 - ]), glyph('ok') . __('delete'), 'btn-danger') - ]) + form([ + buttons([ + button(user_link($signoff_user->id), glyph('remove') . __('cancel')), + form_submit('delete', glyph('ok') . __('delete'), 'btn-danger', false) + ]), + ]), ]); } /** * Sign off from a shift, asking for ack. * - * @param array $shiftEntry * @param array $shift * @param array $angeltype * @param int $signoff_user_id * * @return string HTML */ -function ShiftEntry_delete_view($shiftEntry, $shift, $angeltype, $signoff_user_id) +function ShiftEntry_delete_view($shift, $angeltype, $signoff_user_id) { return page_with_title(ShiftEntry_delete_title(), [ info(sprintf( @@ -52,12 +50,13 @@ function ShiftEntry_delete_view($shiftEntry, $shift, $angeltype, $signoff_user_i date('Y-m-d H:i', $shift['end']), $angeltype['name'] ), true), - buttons([ - button(user_link($signoff_user_id), glyph('remove') . __('cancel')), - button(shift_entry_delete_link($shiftEntry, [ - 'continue' => 1 - ]), glyph('ok') . __('delete'), 'btn-danger') - ]) + + form([ + buttons([ + button(user_link($signoff_user_id), glyph('remove') . __('cancel')), + form_submit('delete', glyph('ok') . __('delete'), 'btn-danger', false), + ]), + ]), ]); } |