From f612a560d28a31095c27c130e84bf6ff39f061f5 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Wed, 24 Sep 2025 12:13:40 +0200
Subject: Fix some CSRFs (#8000)

In two bookmark actions and one in `entryController`

Completes one TODO from #7923:

https://github.com/FreshRSS/FreshRSS/blob/de624dc8ce63ec819c61216d9d44f828841c293e/app/Controllers/entryController.php#L257

(a POST request is already sent in the frontend)
---
 app/Controllers/entryController.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'app/Controllers/entryController.php')

diff --git a/app/Controllers/entryController.php b/app/Controllers/entryController.php
index cbba1817e..0e8a4a1b9 100644
--- a/app/Controllers/entryController.php
+++ b/app/Controllers/entryController.php
@@ -260,10 +260,13 @@ class FreshRSS_entry_Controller extends FreshRSS_ActionController {
 	/**
 	 * This action purges old entries from feeds.
 	 *
-	 * @todo should be a POST request
 	 * @todo should be in feedController
 	 */
 	public function purgeAction(): void {
+		if (!Minz_Request::isPost()) {
+			Minz_Error::error(403);
+			return;
+		}
 		if (function_exists('set_time_limit')) {
 			@set_time_limit(300);
 		}
-- 
cgit v1.2.3