Use POST for destructive actions & mobile UI tweaks

Require POST and CSRF verification for destructive endpoints (profile delete, notification delete, clear-all) and update routes accordingly. Replace GET-based delete links with POST forms (including csrf_field()) and add hidden form submission for "clear all" and account deletion via JS. Add server-side request method checks and verifyCsrf() calls in NotificationController and ProfileController. Improve mobile UX: add sidebar overlay, open/close controls (including swipe-to-close), close button, prevent body scroll when sidebar open, responsive search placeholder and adjusted search/top-nav styling, and minor layout tweaks (truncate app name, adjust notification dropdown width). Also minor whitespace/formatting cleanups.
2026-02-01 12:30:16 +02:00
parent 6f1316682d
commit 612a4bf790
8 changed files with 163 additions and 29 deletions
--- a/app/Views/profile/index.php
+++ b/app/Views/profile/index.php
@@ -644,10 +644,13 @@ $avatar = \App\Helpers\AvatarHelper::getAvatar($user, 80);
                                    This action cannot be undone
                                </p>
                            </div>
-                            <button onclick="confirmDelete()" class="ml-4 inline-flex items-center px-4 py-2 bg-red-600 text-white text-sm rounded-lg hover:bg-red-700 transition-colors font-medium whitespace-nowrap">
-                                <i class="fas fa-trash-alt mr-2"></i>
-                                Delete Account
-                            </button>
+                            <form id="deleteAccountForm" method="POST" action="/profile/delete" class="inline">
+                                <?= csrf_field() ?>
+                                <button type="button" onclick="confirmDelete()" class="ml-4 inline-flex items-center px-4 py-2 bg-red-600 text-white text-sm rounded-lg hover:bg-red-700 transition-colors font-medium whitespace-nowrap">
+                                    <i class="fas fa-trash-alt mr-2"></i>
+                                    Delete Account
+                                </button>
+                            </form>
                        </div>
                    </div>
                </div>
@@ -734,7 +737,7 @@ document.addEventListener('DOMContentLoaded', function() {
 function confirmDelete() {
    if (confirm('Are you absolutely sure you want to delete your account?\n\nThis action is PERMANENT and cannot be undone!')) {
        if (confirm('FINAL WARNING: This will permanently delete all your data.\n\nClick OK to proceed.')) {
-            window.location.href = '/profile/delete';
+            document.getElementById('deleteAccountForm').submit();
        }
    }
 }