Enhance user actions with CSRF protection and POST requests

Added CSRF protection and enforced POST requests for user delete and toggle status actions in UserController. Updated the users index view to use JavaScript for submitting POST forms with CSRF tokens for these actions, improving security and user experience. Also improved login success messages to include the user's full name.
2025-12-15 17:48:55 +02:00
parent bcd956a495
commit 1e98b8a047
4 changed files with 64 additions and 5 deletions
--- a/app/Views/users/index.php
+++ b/app/Views/users/index.php
@@ -273,15 +273,16 @@ $pagination = $pagination ?? [
                                    <i class="fas fa-edit"></i>
                                </a>
                                <?php if ($user['id'] != \Core\Auth::id()): ?>
-                                    <a href="/users/<?= $user['id'] ?>/toggle-status" 
+                                    <a href="#" 
                                       class="text-orange-600 hover:text-orange-800" 
-                                       title="<?= $user['is_active'] ? 'Deactivate' : 'Activate' ?>">
+                                       title="<?= $user['is_active'] ? 'Deactivate' : 'Activate' ?>"
+                                       onclick="toggleUserStatus(<?= $user['id'] ?>); return false;">
                                        <i class="fas fa-<?= $user['is_active'] ? 'user-slash' : 'user-check' ?>"></i>
                                    </a>
-                                    <a href="/users/<?= $user['id'] ?>/delete" 
+                                    <a href="#" 
                                       class="text-red-600 hover:text-red-800" 
                                       title="Delete"
-                                       onclick="return confirm('Are you sure you want to delete this user?')">
+                                       onclick="deleteUser(<?= $user['id'] ?>); return false;">
                                        <i class="fas fa-trash"></i>
                                    </a>
                                <?php else: ?>
@@ -479,6 +480,40 @@ function bulkToggleStatus(action) {
    form.submit();
 }

+function toggleUserStatus(userId) {
+    const form = document.createElement('form');
+    form.method = 'POST';
+    form.action = '/users/' + userId + '/toggle-status';
+    
+    const csrfInput = document.createElement('input');
+    csrfInput.type = 'hidden';
+    csrfInput.name = 'csrf_token';
+    csrfInput.value = '<?= csrf_token() ?>';
+    form.appendChild(csrfInput);
+    
+    document.body.appendChild(form);
+    form.submit();
+}
+
+function deleteUser(userId) {
+    if (!confirm('Are you sure you want to delete this user? This action cannot be undone.')) {
+        return;
+    }
+    
+    const form = document.createElement('form');
+    form.method = 'POST';
+    form.action = '/users/' + userId + '/delete';
+    
+    const csrfInput = document.createElement('input');
+    csrfInput.type = 'hidden';
+    csrfInput.name = 'csrf_token';
+    csrfInput.value = '<?= csrf_token() ?>';
+    form.appendChild(csrfInput);
+    
+    document.body.appendChild(form);
+    form.submit();
+}
+
 function bulkDeleteUsers() {
    const userIds = getSelectedUserIds();