Fix some CSRFs (#8000)

In two bookmark actions and one in `entryController` Completes one TODO from #7923: https://github.com/FreshRSS/FreshRSS/blob/de624dc8ce63ec819c61216d9d44f828841c293e/app/Controllers/entryController.php#L257 (a POST request is already sent in the frontend)
author: Inverle <inverle@proton.me> 2025-09-24 12:13:40 +0200
committer: GitHub <noreply@github.com> 2025-09-24 12:13:40 +0200
commit: f612a560d28a31095c27c130e84bf6ff39f061f5 (patch)
tree: 53aeb904bb39ce9365342eb80c9dab54079c5696 /app/Controllers/entryController.php
parent: 067479a9f16cb91753acfd1fea5d0a18106e1c44 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/app/Controllers/entryController.php b/app/Controllers/entryController.php
index cbba1817e..0e8a4a1b9 100644
--- a/app/Controllers/entryController.php
+++ b/app/Controllers/entryController.php
@@ -260,10 +260,13 @@ class FreshRSS_entry_Controller extends FreshRSS_ActionController {
 	/**
 	 * This action purges old entries from feeds.
 	 *
-	 * @todo should be a POST request
 	 * @todo should be in feedController
 	 */
 	public function purgeAction(): void {
+		if (!Minz_Request::isPost()) {
+			Minz_Error::error(403);
+			return;
+		}
 		if (function_exists('set_time_limit')) {
 			@set_time_limit(300);
 		}
author	Inverle <inverle@proton.me>	2025-09-24 12:13:40 +0200
committer	GitHub <noreply@github.com>	2025-09-24 12:13:40 +0200
commit	f612a560d28a31095c27c130e84bf6ff39f061f5 (patch)
tree	53aeb904bb39ce9365342eb80c9dab54079c5696 /app/Controllers/entryController.php
parent	067479a9f16cb91753acfd1fea5d0a18106e1c44 (diff)