diff --git a/src/Wallabag/CoreBundle/Controller/ConfigController.php b/src/Wallabag/CoreBundle/Controller/ConfigController.php
index 9adc4c29b..a69ce37e3 100644
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@@ -523,12 +523,16 @@ class ConfigController extends AbstractController
/**
* Remove all annotations OR tags OR entries for the current user.
*
- * @Route("/reset/{type}", requirements={"id" = "annotations|tags|entries"}, name="config_reset")
+ * @Route("/reset/{type}", requirements={"id" = "annotations|tags|entries"}, name="config_reset", methods={"POST"})
*
* @return RedirectResponse
*/
- public function resetAction(string $type, AnnotationRepository $annotationRepository, EntryRepository $entryRepository)
+ public function resetAction(Request $request, string $type, AnnotationRepository $annotationRepository, EntryRepository $entryRepository)
{
+ if (!$this->isCsrfTokenValid('reset-area', $request->request->get('token'))) {
+ throw $this->createAccessDeniedException('Bad CSRF token.');
+ }
+
switch ($type) {
case 'annotations':
$annotationRepository->removeAllByUserId($this->getUser()->getId());
diff --git a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
index 8681b20c2..30c39294f 100644
--- a/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/Config/index.html.twig
@@ -552,18 +552,34 @@
{% if enabled_users > 1 %}
diff --git a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
index 03a7485df..9174daf85 100644
--- a/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
+++ b/tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php
@@ -929,7 +929,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertSame(200, $client->getResponse()->getStatusCode());
- $crawler = $client->click($crawler->selectLink('config.reset.annotations')->link());
+ $form = $crawler->filter('form[name=reset-annotations]')->form();
+ $client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.annotations_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
@@ -945,7 +946,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertSame(200, $client->getResponse()->getStatusCode());
- $crawler = $client->click($crawler->selectLink('config.reset.tags')->link());
+ $form = $crawler->filter('form[name=reset-tags]')->form();
+ $client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.tags_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
@@ -961,7 +963,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertSame(200, $client->getResponse()->getStatusCode());
- $crawler = $client->click($crawler->selectLink('config.reset.entries')->link());
+ $form = $crawler->filter('form[name=reset-entries]')->form();
+ $client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.entries_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
@@ -1027,7 +1030,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertSame(200, $client->getResponse()->getStatusCode());
- $crawler = $client->click($crawler->selectLink('config.reset.archived')->link());
+ $form = $crawler->filter('form[name=reset-archived]')->form();
+ $client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.archived_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);
@@ -1086,7 +1090,8 @@ class ConfigControllerTest extends WallabagCoreTestCase
$this->assertSame(200, $client->getResponse()->getStatusCode());
- $crawler = $client->click($crawler->selectLink('config.reset.entries')->link());
+ $form = $crawler->filter('form[name=reset-entries]')->form();
+ $client->submit($form);
$this->assertSame(302, $client->getResponse()->getStatusCode());
$this->assertStringContainsString('flashes.config.notice.entries_reset', $client->getContainer()->get(SessionInterface::class)->getFlashBag()->get('notice')[0]);