Add CSRF token validation for quiz-related actions

- Added CSRF validation to `enableQuiz`, `clearQuiz`, `deleteQuiz`, `toggleCandidate`, and `prepareElimination` actions.
- Updated Twig templates to replace links with POST forms to include CSRF tokens.
- Set HTTP method restrictions for related endpoints to `POST`.
This commit is contained in:
2026-05-24 14:15:12 +02:00
parent cab2d25000
commit 246ff999d3
5 changed files with 65 additions and 25 deletions
@@ -35,14 +35,16 @@
{% endif %}
</td>
<td>
<a href="{{ path('tvdt_backoffice_toggle_candidate', {quiz: quiz.id, candidate: candidate.id}) }}"
class="btn btn-sm btn-outline-secondary">
{% if quizCandidate == null or quizCandidate.active %}
{{ 'Deactivate'|trans }}
{% else %}
{{ 'Activate'|trans }}
{% endif %}
</a>
<form action="{{ path('tvdt_backoffice_toggle_candidate', {quiz: quiz.id, candidate: candidate.id}) }}" method="POST">
<input type="hidden" name="_token" value="{{ csrf_token('toggle_candidate') }}">
<button type="submit" class="btn btn-sm btn-outline-secondary">
{% if quizCandidate == null or quizCandidate.active %}
{{ 'Deactivate'|trans }}
{% else %}
{{ 'Activate'|trans }}
{% endif %}
</button>
</form>
</td>
</tr>
{% endfor %}