From 84769cab3e3c0b55fe62fbe0e7bd3cbee816dc40 Mon Sep 17 00:00:00 2001
From: Pierre Jaury <pierre@jaury.eu>
Date: Fri, 19 Aug 2016 10:49:05 +0200
Subject: [PATCH] Switch to form-based confirmations, fixes #20

---
 admin/freeposte/admin/templates/admin/list.html     | 2 +-
 admin/freeposte/admin/templates/alias/list.html     | 2 +-
 admin/freeposte/admin/templates/domain/details.html | 2 +-
 admin/freeposte/admin/templates/domain/list.html    | 2 +-
 admin/freeposte/admin/templates/fetch/list.html     | 2 +-
 admin/freeposte/admin/templates/manager/list.html   | 2 +-
 admin/freeposte/admin/templates/user/list.html      | 2 +-
 admin/freeposte/admin/views/admins.py               | 5 +++--
 admin/freeposte/admin/views/aliases.py              | 3 ++-
 admin/freeposte/admin/views/domains.py              | 8 ++++++--
 admin/freeposte/admin/views/fetches.py              | 3 ++-
 admin/freeposte/admin/views/managers.py             | 3 ++-
 admin/freeposte/admin/views/users.py                | 3 ++-
 13 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/admin/freeposte/admin/templates/admin/list.html b/admin/freeposte/admin/templates/admin/list.html
index 8a733392..01054991 100644
--- a/admin/freeposte/admin/templates/admin/list.html
+++ b/admin/freeposte/admin/templates/admin/list.html
@@ -18,7 +18,7 @@ Global administrators
     {% for admin in admins %}
     <tr>
       <td>
-        <a href="{{ url_for('.admin_delete', admin=admin.email) }}" onclick="return confirm('Are you sure?')" title="Delete"><i class="fa fa-trash"></i></a>
+        <a href="{{ url_for('.admin_delete', admin=admin.email) }}" title="Delete"><i class="fa fa-trash"></i></a>
       </td>
       <td>{{ admin }}</td>
     </tr>
diff --git a/admin/freeposte/admin/templates/alias/list.html b/admin/freeposte/admin/templates/alias/list.html
index 83c0b058..3d752329 100644
--- a/admin/freeposte/admin/templates/alias/list.html
+++ b/admin/freeposte/admin/templates/alias/list.html
@@ -27,7 +27,7 @@ Alias list
     <tr>
       <td>
         <a href="{{ url_for('.alias_edit', alias=alias.email) }}" title="Edit"><i class="fa fa-pencil"></i></a>&nbsp;
-        <a href="{{ url_for('.alias_delete', alias=alias.email) }}" onclick="return confirm('Are you sure?')" title="Delete"><i class="fa fa-trash"></i></a>
+        <a href="{{ url_for('.alias_delete', alias=alias.email) }}" title="Delete"><i class="fa fa-trash"></i></a>
       </td>
       <td>{{ alias }}</td>
       <td>{{ alias.destination|join(', ') or '-' }}</td>
diff --git a/admin/freeposte/admin/templates/domain/details.html b/admin/freeposte/admin/templates/domain/details.html
index d78e0d76..c70120fd 100644
--- a/admin/freeposte/admin/templates/domain/details.html
+++ b/admin/freeposte/admin/templates/domain/details.html
@@ -10,7 +10,7 @@ Domain details
 
 {% block main_action %}
 {% if current_user.global_admin %}
-<a class="btn btn-primary" href="{{ url_for(".domain_genkeys", domain_name=domain.name) }}" onclick="return confirm('Are you sure?')">Regenerate keys</a>
+<a class="btn btn-primary" href="{{ url_for(".domain_genkeys", domain_name=domain.name) }}">Regenerate keys</a>
 {% endif %}
 {% endblock %}
 
diff --git a/admin/freeposte/admin/templates/domain/list.html b/admin/freeposte/admin/templates/domain/list.html
index 4e7290e3..4aa150e4 100644
--- a/admin/freeposte/admin/templates/domain/list.html
+++ b/admin/freeposte/admin/templates/domain/list.html
@@ -29,7 +29,7 @@ Domain list
         <a href="{{ url_for('.domain_details', domain_name=domain.name) }}" title="Details"><i class="fa fa-list"></i></a>&nbsp;
         {% if current_user.global_admin %}
         <a href="{{ url_for('.domain_edit', domain_name=domain.name) }}" title="Edit"><i class="fa fa-pencil"></i></a>&nbsp;
-        <a href="{{ url_for('.domain_delete', domain_name=domain.name) }}" onclick="return confirm('Are you sure?')" title="Delete"><i class="fa fa-trash"></i></a>&nbsp;
+        <a href="{{ url_for('.domain_delete', domain_name=domain.name) }}" title="Delete"><i class="fa fa-trash"></i></a>&nbsp;
         {% endif %}
       </td>
       <td>
diff --git a/admin/freeposte/admin/templates/fetch/list.html b/admin/freeposte/admin/templates/fetch/list.html
index 8397a65e..8eb26631 100644
--- a/admin/freeposte/admin/templates/fetch/list.html
+++ b/admin/freeposte/admin/templates/fetch/list.html
@@ -29,7 +29,7 @@ Fetched accounts
     <tr>
       <td>
         <a href="{{ url_for('.fetch_edit', fetch_id=fetch.id) }}" title="Edit"><i class="fa fa-pencil"></i></a>&nbsp;
-        <a href="{{ url_for('.fetch_delete', fetch_id=fetch.id) }}" onclick="return confirm('Are you sure?')" title="Delete"><i class="fa fa-trash"></i></a>
+        <a href="{{ url_for('.fetch_delete', fetch_id=fetch.id) }}" title="Delete"><i class="fa fa-trash"></i></a>
       </td>
       <td>{{ fetch.protocol }}</td>
       <td>{{ fetch.host }}</td>
diff --git a/admin/freeposte/admin/templates/manager/list.html b/admin/freeposte/admin/templates/manager/list.html
index b915529b..23ef317f 100644
--- a/admin/freeposte/admin/templates/manager/list.html
+++ b/admin/freeposte/admin/templates/manager/list.html
@@ -22,7 +22,7 @@ Manager list
     {% for manager in domain.managers %}
     <tr>
       <td>
-        <a href="{{ url_for('.manager_delete', manager=manager.email) }}" onclick="return confirm('Are you sure?')" title="Delete"><i class="fa fa-trash"></i></a>
+        <a href="{{ url_for('.manager_delete', manager=manager.email) }}" title="Delete"><i class="fa fa-trash"></i></a>
       </td>
       <td>{{ manager }}</td>
     </tr>
diff --git a/admin/freeposte/admin/templates/user/list.html b/admin/freeposte/admin/templates/user/list.html
index 0f605f6b..e0c13ec8 100644
--- a/admin/freeposte/admin/templates/user/list.html
+++ b/admin/freeposte/admin/templates/user/list.html
@@ -29,7 +29,7 @@ User list
     <tr>
       <td>
         <a href="{{ url_for('.user_edit', user_email=user.email) }}" title="Edit"><i class="fa fa-pencil"></i></a>&nbsp;
-        <a href="{{ url_for('.user_delete', user_email=user.email) }}" onclick="return confirm('Are you sure?')" title="Delete"><i class="fa fa-trash"></i></a>
+        <a href="{{ url_for('.user_delete', user_email=user.email) }}" title="Delete"><i class="fa fa-trash"></i></a>
       </td>
       <td>
         <a href="{{ url_for('.user_settings', user_email=user.email) }}" title="Settings"><i class="fa fa-wrench"></i></a>&nbsp;
diff --git a/admin/freeposte/admin/views/admins.py b/admin/freeposte/admin/views/admins.py
index 801f79bc..b607f849 100644
--- a/admin/freeposte/admin/views/admins.py
+++ b/admin/freeposte/admin/views/admins.py
@@ -1,4 +1,4 @@
-from freeposte.admin import app, db, models, forms
+from freeposte.admin import app, db, models, forms, utils
 
 import os
 import pprint
@@ -35,7 +35,8 @@ def admin_create():
     return flask.render_template('admin/create.html', form=form)
 
 
-@app.route('/admin/delete/<admin>', methods=['GET'])
+@app.route('/admin/delete/<admin>', methods=['GET', 'POST'])
+@utils.confirmation_required("delete admin {admin }")
 @flask_login.login_required
 def admin_delete(admin):
     user = models.User.query.get(admin)
diff --git a/admin/freeposte/admin/views/aliases.py b/admin/freeposte/admin/views/aliases.py
index 8d781e9f..b60ff7c0 100644
--- a/admin/freeposte/admin/views/aliases.py
+++ b/admin/freeposte/admin/views/aliases.py
@@ -53,7 +53,8 @@ def alias_edit(alias):
         form=form, alias=alias, domain=alias.domain)
 
 
-@app.route('/alias/delete/<alias>', methods=['GET'])
+@app.route('/alias/delete/<alias>', methods=['GET', 'POST'])
+@utils.confirmation_required("delete {alias}")
 @flask_login.login_required
 def alias_delete(alias):
     alias = utils.get_alias(alias)
diff --git a/admin/freeposte/admin/views/domains.py b/admin/freeposte/admin/views/domains.py
index 8c3c4b29..93b0449e 100644
--- a/admin/freeposte/admin/views/domains.py
+++ b/admin/freeposte/admin/views/domains.py
@@ -47,7 +47,8 @@ def domain_edit(domain_name):
         domain=domain)
 
 
-@app.route('/domain/delete/<domain_name>', methods=['GET'])
+@app.route('/domain/delete/<domain_name>', methods=['GET', 'POST'])
+@utils.confirmation_required("delete {domain_name}")
 @flask_login.login_required
 def domain_delete(domain_name):
     utils.require_global_admin()
@@ -59,13 +60,16 @@ def domain_delete(domain_name):
 
 
 @app.route('/domain/details/<domain_name>', methods=['GET'])
+@flask_login.login_required
 def domain_details(domain_name):
     domain = utils.get_domain_admin(domain_name)
     return flask.render_template('domain/details.html', domain=domain,
         config=flask_app.config)
 
 
-@app.route('/domain/genkeys/<domain_name>', methods=['GET'])
+@app.route('/domain/genkeys/<domain_name>', methods=['GET', 'POST'])
+@utils.confirmation_required("regenerate keys for {domain_name}")
+@flask_login.login_required
 def domain_genkeys(domain_name):
     domain = utils.get_domain_admin(domain_name)
     domain.generate_dkim_key()
diff --git a/admin/freeposte/admin/views/fetches.py b/admin/freeposte/admin/views/fetches.py
index c7f88d89..5870ef2a 100644
--- a/admin/freeposte/admin/views/fetches.py
+++ b/admin/freeposte/admin/views/fetches.py
@@ -46,7 +46,8 @@ def fetch_edit(fetch_id):
         form=form, fetch=fetch)
 
 
-@app.route('/fetch/delete/<fetch_id>', methods=['GET'])
+@app.route('/fetch/delete/<fetch_id>', methods=['GET', 'POST'])
+@utils.confirmation_required("delete a fetched account")
 @flask_login.login_required
 def fetch_delete(fetch_id):
     fetch = utils.get_fetch(fetch_id)
diff --git a/admin/freeposte/admin/views/managers.py b/admin/freeposte/admin/views/managers.py
index d7d4f57b..b19789df 100644
--- a/admin/freeposte/admin/views/managers.py
+++ b/admin/freeposte/admin/views/managers.py
@@ -36,7 +36,8 @@ def manager_create(domain_name):
         domain=domain, form=form)
 
 
-@app.route('/manager/delete/<manager>', methods=['GET'])
+@app.route('/manager/delete/<manager>', methods=['GET', 'POST'])
+@utils.confirmation_required("remove manager {manager}")
 @flask_login.login_required
 def manager_delete(manager):
     user = utils.get_user(manager, admin=True)
diff --git a/admin/freeposte/admin/views/users.py b/admin/freeposte/admin/views/users.py
index 3374d2c2..0c6c6374 100644
--- a/admin/freeposte/admin/views/users.py
+++ b/admin/freeposte/admin/views/users.py
@@ -56,7 +56,8 @@ def user_edit(user_email):
     return flask.render_template('user/edit.html', form=form, user=user, domain=user.domain)
 
 
-@app.route('/user/delete/<user_email>', methods=['GET'])
+@app.route('/user/delete/<user_email>', methods=['GET', 'POST'])
+@utils.confirmation_required("delete {user_email}")
 @flask_login.login_required
 def user_delete(user_email):
     user = utils.get_user(user_email, True)