From 11e6e0394c9e617a56ac29afc7a341f19ac6662d Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Mon, 29 Sep 2025 23:52:19 +0200
Subject: Fix more CSRFs (#8035)

Follow-up of #8000

Some were still missed in `feedController`.
even had comments but no check:

https://github.com/FreshRSS/FreshRSS/blob/0d463b67bdade2e896b7fa74595950eeaadd55fe/app/Controllers/feedController.php#L1053-L1055

https://github.com/FreshRSS/FreshRSS/blob/0d463b67bdade2e896b7fa74595950eeaadd55fe/app/Controllers/feedController.php#L374-L376
---
 app/Controllers/feedController.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'app/Controllers/feedController.php')

diff --git a/app/Controllers/feedController.php b/app/Controllers/feedController.php
index a63109c31..0b8c63bbe 100644
--- a/app/Controllers/feedController.php
+++ b/app/Controllers/feedController.php
@@ -379,6 +379,9 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 	 *   - id (default: false)
 	 */
 	public function truncateAction(): void {
+		if (!Minz_Request::isPost()) {
+			Minz_Request::forward(['c' => 'subscription'], true);
+		}
 		$id = Minz_Request::paramInt('id');
 		$url_redirect = [
 			'c' => 'subscription',
@@ -1059,6 +1062,9 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 	 *   - id (default: false)
 	 */
 	public function deleteAction(): void {
+		if (!Minz_Request::isPost()) {
+			Minz_Request::forward(['c' => 'subscription'], true);
+		}
 		$from = Minz_Request::paramString('from');
 		$id = Minz_Request::paramInt('id');
 
@@ -1096,6 +1102,9 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 	 *
 	 */
 	public function clearCacheAction(): void {
+		if (!Minz_Request::isPost()) {
+			Minz_Request::forward(['c' => 'subscription'], true);
+		}
 		//Get Feed.
 		$id = Minz_Request::paramInt('id');
 
@@ -1122,6 +1131,9 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 	 * @throws FreshRSS_BadUrl_Exception
 	 */
 	public function reloadAction(): void {
+		if (!Minz_Request::isPost()) {
+			Minz_Request::forward(['c' => 'subscription'], true);
+		}
 		if (function_exists('set_time_limit')) {
 			@set_time_limit(300);
 		}
-- 
cgit v1.2.3