Add CSRF token validation for quiz-related actions

- Added CSRF validation to `enableQuiz`, `clearQuiz`, `deleteQuiz`, `toggleCandidate`, and `prepareElimination` actions.
- Updated Twig templates to replace links with POST forms to include CSRF tokens.
- Set HTTP method restrictions for related endpoints to `POST`.
This commit is contained in:
2026-05-24 14:15:12 +02:00
parent cab2d25000
commit 246ff999d3
5 changed files with 65 additions and 25 deletions
@@ -24,9 +24,14 @@ final class PrepareEliminationController extends AbstractController
'/backoffice/season/{seasonCode:season}/quiz/{quiz}/elimination/prepare',
name: 'tvdt_prepare_elimination',
requirements: ['seasonCode' => self::SEASON_CODE_REGEX, 'quiz' => Requirement::UUID],
methods: ['POST'],
)]
public function index(Season $season, Quiz $quiz): RedirectResponse
public function index(Season $season, Quiz $quiz, Request $request): RedirectResponse
{
if (!$this->isCsrfTokenValid('prepare_elimination', $request->request->get('_token'))) {
throw $this->createAccessDeniedException();
}
$elimination = $this->eliminationFactory->createEliminationFromQuiz($quiz);
return $this->redirectToRoute('tvdt_prepare_elimination_view', ['elimination' => $elimination->id]);