CVE-2023-4455: Merge pull request from GHSA-gjvc-55fw-v6vq · wallabag/wallabag@ffcc5c9

Expand Up @@ -69,12 +69,17 @@ public function createClientAction(Request $request, EntityManagerInterface $ent /** * Remove a client. * * @Route(“/developer/client/delete/{id}", requirements={"id” = “\d+"}, name="developer_delete_client”) * @Route(“/developer/client/delete/{id}", requirements={"id” = "\d+"}, name="developer_delete_client", methods={"POST"}) * * @return RedirectResponse */ public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) {
if (!$this->isCsrfTokenValid('delete-client’, $request->request->get(‘token’))) { throw $this->createAccessDeniedException(‘Bad CSRF token.’); }
if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) { throw $this->createAccessDeniedException(‘You can not access this client.’); } Expand Down