luci-app-radicale: protect start/stop actions with csrf token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

diff --git a/applications/luci-app-radicale/luasrc/controller/radicale.lua b/applications/luci-app-radicale/luasrc/controller/radicale.lua
index d384b00d9e57db8d01825d78a05d4d636fbf9db8..35f5a83a0c0d085b1fd394ecd8f5ef7ca4f90152 100644 (file)
--- a/applications/luci-app-radicale/luasrc/controller/radicale.lua
+++ b/applications/luci-app-radicale/luasrc/controller/radicale.lua
@@ -15,7 +15,7 @@ function index()
        entry( {"admin", "services", "radicale"}, alias("admin", "services", "radicale", "edit"), _("CalDAV/CardDAV"), 58)
        entry( {"admin", "services", "radicale", "edit"}, cbi("radicale") ).leaf = true
        entry( {"admin", "services", "radicale", "logview"}, call("_logread") ).leaf = true
-       entry( {"admin", "services", "radicale", "startstop"}, call("_startstop") ).leaf = true
+       entry( {"admin", "services", "radicale", "startstop"}, post("_startstop") ).leaf = true
        entry( {"admin", "services", "radicale", "status"}, call("_status") ).leaf = true
 end
 

diff --git a/applications/luci-app-radicale/luasrc/view/radicale/btn_startstop.htm b/applications/luci-app-radicale/luasrc/view/radicale/btn_startstop.htm
index b34627536d9b27128cdb2de648c50611d223a3c5..dbf4dddbca114fdaeb0ef39cae2adcbdbe9d3f0a 100644 (file)
--- a/applications/luci-app-radicale/luasrc/view/radicale/btn_startstop.htm
+++ b/applications/luci-app-radicale/luasrc/view/radicale/btn_startstop.htm
@@ -21,7 +21,7 @@
        function onclick_startstop(id) {
                // do start/stop
                var btnXHR = new XHR();
-               btnXHR.get('<%=url('admin/services/radicale/startstop')%>', null,
+               btnXHR.post('<%=url('admin/services/radicale/startstop')%>', { token: '<%=token%>' },
                        function(x) { _data2elements(x); }
                );
        }