clear_cache & maintenance csrf

admin/pages/dashboard.php

@@ -12,7 +12,7 @@ $title = 'Dashboard';
 
 csrfProtect();
 
-if (isset($_GET['clear_cache'])) {
+if (isset($_POST['clear_cache'])) {
 	if (clearCache()) {
 		success('Cache cleared.');
 	} else {
@@ -20,7 +20,7 @@ if (isset($_GET['clear_cache'])) {
 	}
 }
 
-if (isset($_GET['maintenance'])) {
+if (isset($_POST['maintenance'])) {
 	$message = (!empty($_POST['message']) ? $_POST['message'] : null);
 	$_status = (isset($_POST['status']) && $_POST['status'] == 'true');
 	$_status = ($_status ? '0' : '1');

admin/pages/modules/templates/web_status.twig

@@ -1,11 +1,9 @@
 <div class="col-12 col-md-6">
 	<div class="card card-warning card-outline">
-		<form action="?p=dashboard&maintenance" method="post" class="form-horizontal">
-			{{ csrf() }}
 			<div class="card-header">
 				<span class="m-0">Website Status<span class="float-right">
 				<div class="custom-control custom-switch custom-switch-off-danger custom-switch-on-success">
-					<input type="checkbox" class="custom-control-input" name="status" id="status" value="true" {% if not is_closed %} checked{% endif %}>
+					<input form="maintenance-form" type="checkbox" class="custom-control-input" name="status" id="status" value="true" {% if not is_closed %} checked{% endif %}>
 					<label id="status-label" class="custom-control-label" for="status"> {% if is_closed %}Closed{% else %}Open{% endif %}</label>
 				</div></span>
 				</span>
@@ -13,17 +11,22 @@
 			<div class="card-body p-2">
 				<div class="col-sm-12">
 					<label for="message" class="col-form-label">Maintenance Message</label>
-					<textarea name="message" class="form-control" cols="40" rows="3" maxlength="255" placeholder="Enter ...">{{ closed_message }}</textarea>
+					<textarea form="maintenance-form" name="message" class="form-control" cols="40" rows="3" maxlength="255" placeholder="Enter ...">{{ closed_message }}</textarea>
 					<small>(only visible if closed)</small>
 				</div>
 			</div>
 			<div class="card-footer">
-				<button type="submit" class="btn btn-info"><i class="far fa-update"></i> Update</button>
+				<form id="maintenance-form" method="post" action="?p=dashboard" class="float-left">
-				<a href="?p=dashboard&clear_cache" onclick="return confirm('Are you sure?');" class="float-right">
+					{{ csrf() }}
-					<span class="btn btn-danger"><i class="fas fa-clear"></i>Clear cache</span>
+					<input type="hidden" name="maintenance" value="1" />
-				</a>
+					<button type="submit" class="btn btn-info"><i class="far fa-update"></i> Update</button>
+				</form>
+				<form method="post" action="?p=dashboard" class="float-right">
+					{{ csrf() }}
+					<input type="hidden" name="clear_cache" value="1" />
+					<button type="submit" onclick="return confirm('Are you sure?');" class="btn btn-danger" title="Clear Cache"><i class="fas fa-clear"></i>Clear cache</button>
+				</form>
 			</div>
-		</form>
 	</div>
 </div>
 

system/templates/admin-bar.html.twig

@@ -106,9 +106,11 @@ html { margin-top: 32px !important; }
 			</a>
 		</li>
 		<li>
-			<a class="ab-item" href="{{ constant('ADMIN_URL') }}?p=dashboard&clear_cache">
+			<form method="post" action="{{ constant('ADMIN_URL') }}?p=dashboard">
-				Clear Cache
+				{{ csrf() }}
-			</a>
+				<input type="hidden" name="clear_cache" value="1" />
+				<a class="ab-item" href="#" onclick="confirm('Are you sure?') && $(this).closest('form').submit()" title="Clear Cache">Clear Cache</a>
+			</form>
 		</li>
 	</ul>
 	<ul class="ab-top-secondary">