Make event rule delete action CSRF protected

raviks789 · raviks789 · commit 64d449cd40ea · 2024-06-20T12:18:40.000+02:00
diff --git a/application/controllers/EventRuleController.php b/application/controllers/EventRuleController.php
@@ -86,11 +86,15 @@ public function indexAction(): void
             ->on(
                 EventRuleConfigForm::ON_DELETE,
                 function (EventRuleConfigForm $form) use ($ruleId, $eventRuleConfigValues) {
-                    $form->removeRule((int) $ruleId);
-                    Notification::success(
-                        sprintf(t('Successfully deleted event rule %s'), $eventRuleConfigValues['name'])
-                    );
-                    $this->redirectNow('__CLOSE__');
+                    $csrf = $form->getElement('CSRFToken');
+                    if ($csrf !== null && $csrf->isValid()) {
+                        $form->removeRule((int) $ruleId);
+                        Notification::success(
+                            sprintf(t('Successfully deleted event rule %s'), $eventRuleConfigValues['name'])
+                        );
+
+                        $this->redirectNow('__CLOSE__');
+                    }
                 }
             )
             ->handleRequest($this->getServerRequest());
