Use POST for destructive actions & mobile UI tweaks

Require POST and CSRF verification for destructive endpoints (profile delete, notification delete, clear-all) and update routes accordingly. Replace GET-based delete links with POST forms (including csrf_field()) and add hidden form submission for "clear all" and account deletion via JS. Add server-side request method checks and verifyCsrf() calls in NotificationController and ProfileController. Improve mobile UX: add sidebar overlay, open/close controls (including swipe-to-close), close button, prevent body scroll when sidebar open, responsive search placeholder and adjusted search/top-nav styling, and minor layout tweaks (truncate app name, adjust notification dropdown width). Also minor whitespace/formatting cleanups.
2026-02-01 12:30:16 +02:00
parent 6f1316682d
commit 612a4bf790
8 changed files with 163 additions and 29 deletions
--- a/app/Views/notifications/index.php
+++ b/app/Views/notifications/index.php
@@ -162,9 +162,12 @@ $offset = $pagination['showing_from'] - 1;
                                    <i class="fas fa-check text-xs"></i>
                                </a>
                            <?php endif; ?>
-                            <a href="/notifications/<?= $notification['id'] ?>/delete" onclick="return confirm('Delete this notification?')" class="w-7 h-7 flex items-center justify-center text-gray-400 hover:text-red-600 hover:bg-red-50 rounded transition-colors" title="Delete">
-                                <i class="fas fa-times text-xs"></i>
-                            </a>
+                            <form method="POST" action="/notifications/<?= $notification['id'] ?>/delete" class="inline" onsubmit="return confirm('Delete this notification?')">
+                                <?= csrf_field() ?>
+                                <button type="submit" class="w-7 h-7 flex items-center justify-center text-gray-400 hover:text-red-600 hover:bg-red-50 rounded transition-colors" title="Delete">
+                                    <i class="fas fa-times text-xs"></i>
+                                </button>
+                            </form>
                        </div>
                    </div>
                </div>
@@ -266,6 +269,11 @@ $offset = $pagination['showing_from'] - 1;
 </div>
 <?php endif; ?>

+<!-- Hidden form for clear all -->
+<form id="clearAllForm" method="POST" action="/notifications/clear-all" class="hidden">
+    <?= csrf_field() ?>
+</form>
+
 <script>
 function markAllAsRead() {
    if (confirm('Mark all notifications as read?')) {
@@ -275,7 +283,7 @@ function markAllAsRead() {

 function clearAll() {
    if (confirm('Clear all notifications? This action cannot be undone.')) {
-        window.location.href = '/notifications/clear-all';
+        document.getElementById('clearAllForm').submit();
    }
 }
 </script>