From 83540ad31c376730b0216cc74dec35cafe4782ae Mon Sep 17 00:00:00 2001
From: kilo <kilowwwww@gmail.com>
Date: Thu, 12 Oct 2017 02:54:01 +0200
Subject: [PATCH] Fix a condition that didn't behave as intended (#1651)

* Update profile.go

* Update router.go

* Update torrents.go

* Update router.go

* Update announcements.go

* Update comments.go

* Update oauth.go

* Update reports.go

* Update router.go

* Update index.jet.html

* Update torrentlist.jet.html

* Update commentlist.jet.html

* Update announcements.jet.html

* Update clientlist.jet.html

* Update torrent_report.jet.html

* Update userlist.jet.html

* Update userlist.jet.html

* Update userlist.jet.html

* Update edit.jet.html

* Update delete.go

* Update edit.jet.html

* Update index.jet.html

* Update profile.go

* Update router.go

* Update profile.go

* Update edit.jet.html

* Update userlist.jet.html

* Update index.jet.html

* remove hotfix that didn't even hit live
---
 controllers/moderator/announcements.go  |  2 +-
 controllers/moderator/comments.go       |  2 +-
 controllers/moderator/oauth.go          |  2 +-
 controllers/moderator/reports.go        |  2 +-
 controllers/moderator/router.go         | 12 +++++------
 controllers/moderator/torrents.go       |  2 +-
 controllers/torrent/comment.go          |  3 ---
 controllers/torrent/delete.go           |  2 +-
 controllers/torrent/router.go           |  2 +-
 controllers/user/profile.go             | 27 +++++++++++++++++--------
 controllers/user/router.go              |  1 +
 templates/admin/announcements.jet.html  |  7 ++++---
 templates/admin/clientlist.jet.html     |  7 ++++---
 templates/admin/commentlist.jet.html    |  7 ++++---
 templates/admin/index.jet.html          | 27 +++++++++++++++----------
 templates/admin/torrent_report.jet.html | 15 +++++++-------
 templates/admin/torrentlist.jet.html    | 16 ++++++++-------
 templates/admin/userlist.jet.html       |  6 +++---
 templates/site/user/edit.jet.html       |  4 +++-
 19 files changed, 84 insertions(+), 62 deletions(-)

diff --git a/controllers/moderator/announcements.go b/controllers/moderator/announcements.go
index d59d600c..64d6c7da 100644
--- a/controllers/moderator/announcements.go
+++ b/controllers/moderator/announcements.go
@@ -75,7 +75,7 @@ func addAnnouncement(c *gin.Context) {
 func postAnnouncement(c *gin.Context) {
 	messages := msg.GetMessages(c)
 	announcement := &models.Notification{}
-	id, _ := strconv.Atoi(c.Query("id"))
+	id, _ := strconv.Atoi(c.PostForm("id"))
 	if id > 0 {
 		var err error
 		announcement, err = notifications.FindByID(uint(id))
diff --git a/controllers/moderator/comments.go b/controllers/moderator/comments.go
index 45b913b6..8208182c 100644
--- a/controllers/moderator/comments.go
+++ b/controllers/moderator/comments.go
@@ -48,7 +48,7 @@ func CommentsListPanel(c *gin.Context) {
 
 // CommentDeleteModPanel : Controller for deleting a comment
 func CommentDeleteModPanel(c *gin.Context) {
-	id, _ := strconv.ParseInt(c.Query("id"), 10, 32)
+	id, _ := strconv.ParseInt(c.PostForm("id"), 10, 32)
 	comment, _, err := comments.Delete(uint(id))
 	if err == nil {
 		activities.Log(&models.User{}, comment.Identifier(), "delete", "comment_deleted_by", strconv.Itoa(int(comment.ID)), comment.User.Username, router.GetUser(c).Username)
diff --git a/controllers/moderator/oauth.go b/controllers/moderator/oauth.go
index daab37c0..1620a6e4 100644
--- a/controllers/moderator/oauth.go
+++ b/controllers/moderator/oauth.go
@@ -148,7 +148,7 @@ func clientsListPanel(c *gin.Context) {
 
 // clientsDeleteModPanel : Controller for deleting a comment
 func clientsDeleteModPanel(c *gin.Context) {
-	id := c.Query("id")
+	id := c.PostForm("id")
 	sqlManager := manager.SQLManager{&fosite.BCrypt{WorkFactor: 12}}
 	client, err := oauth_client.FindByID(id)
 	if err != nil {
diff --git a/controllers/moderator/reports.go b/controllers/moderator/reports.go
index 9add0188..d78d54bb 100644
--- a/controllers/moderator/reports.go
+++ b/controllers/moderator/reports.go
@@ -37,7 +37,7 @@ func TorrentReportListPanel(c *gin.Context) {
 
 // TorrentReportDeleteModPanel : Controller for deleting a torrent report
 func TorrentReportDeleteModPanel(c *gin.Context) {
-	id := c.Query("id")
+	id := c.PostForm("id")
 
 	fmt.Println(id)
 	idNum, _ := strconv.ParseUint(id, 10, 64)
diff --git a/controllers/moderator/router.go b/controllers/moderator/router.go
index 237bd7b9..6fd0e94e 100644
--- a/controllers/moderator/router.go
+++ b/controllers/moderator/router.go
@@ -47,26 +47,26 @@ func init() {
 		modRoutes.POST("/torrent", TorrentPostEditModPanel)
 
 		/* Torrent delete routes */
-		modRoutes.Any("/torrent/delete", TorrentDeleteModPanel)
+		modRoutes.POST("/torrent/delete", TorrentDeleteModPanel)
 
 		/* Announcement edit view */
 		modRoutes.GET("/announcement/form", addAnnouncement)
 		modRoutes.POST("/announcement/form", postAnnouncement)
 
 		/* Announcement delete routes */
-		modRoutes.Any("/announcement/delete", deleteAnnouncement)
+		modRoutes.POST("/announcement/delete", deleteAnnouncement)
 
 		/* Torrent lock/unlock route */
 		modRoutes.Any("/torrent/block", TorrentBlockModPanel)
 
 		/* Tags delete route */
-		modRoutes.Any("/tags/delete", DeleteTagsModPanel)
+		modRoutes.POST("/tags/delete", DeleteTagsModPanel)
 
 		/* Report delete route */
-		modRoutes.Any("/report/delete", TorrentReportDeleteModPanel)
+		modRoutes.POST("/report/delete", TorrentReportDeleteModPanel)
 
 		/* Comment delete route */
-		modRoutes.Any("/comment/delete", CommentDeleteModPanel)
+		modRoutes.POST("/comment/delete", CommentDeleteModPanel)
 
 		/* Reassign form routes */
 		modRoutes.GET("/reassign", TorrentReassignModPanel)
@@ -77,7 +77,7 @@ func init() {
 		modRoutes.GET("/oauth_client/p/:page", clientsListPanel)
 
 		/* Oauth client delete route */
-		modRoutes.GET("/oauth_client/delete", clientsDeleteModPanel)
+		modRoutes.POST("/oauth_client/delete", clientsDeleteModPanel)
 
 		/* Oauth client edit routes */
 		modRoutes.GET("/oauth_client/form", formClientController)
diff --git a/controllers/moderator/torrents.go b/controllers/moderator/torrents.go
index ded186e2..4b12eeef 100644
--- a/controllers/moderator/torrents.go
+++ b/controllers/moderator/torrents.go
@@ -120,7 +120,7 @@ func TorrentPostEditModPanel(c *gin.Context) {
 
 // TorrentDeleteModPanel : Controller for deleting a torrent
 func TorrentDeleteModPanel(c *gin.Context) {
-	id, _ := strconv.ParseInt(c.Query("id"), 10, 32)
+	id, _ := strconv.ParseInt(c.PostForm("id"), 10, 32)
 	definitely := c.Request.URL.Query()["definitely"]
 
 	var returnRoute = "/mod/torrents"
diff --git a/controllers/torrent/comment.go b/controllers/torrent/comment.go
index dc33a971..6aa8fc28 100644
--- a/controllers/torrent/comment.go
+++ b/controllers/torrent/comment.go
@@ -34,9 +34,6 @@ func PostCommentHandler(c *gin.Context) {
 			messages.AddErrorT("errors", "bad_captcha")
 		}
 	}
-	if strings.Contains(c.PostForm("comment"), "mod") && strings.Contains(c.PostForm("comment"), "delete")  {
-		messages.AddError("errors", "xxx")
-	}
 	content := sanitize.Sanitize(c.PostForm("comment"), "comment")
 
 	if strings.TrimSpace(content) == "" {
diff --git a/controllers/torrent/delete.go b/controllers/torrent/delete.go
index 8d1c6685..2a84828f 100644
--- a/controllers/torrent/delete.go
+++ b/controllers/torrent/delete.go
@@ -15,7 +15,7 @@ import (
 
 // TorrentDeleteUserPanel : Controller for deleting a user torrent by a user
 func TorrentDeleteUserPanel(c *gin.Context) {
-	id, _ := strconv.ParseInt(c.Query("id"), 10, 32)
+	id, _ := strconv.ParseInt(c.PostForm("id"), 10, 32)
 	currentUser := router.GetUser(c)
 	torrent, _ := torrents.FindByID(uint(id))
 	if currentUser.CurrentOrAdmin(torrent.UploaderID) && torrent.ID > 0 {
diff --git a/controllers/torrent/router.go b/controllers/torrent/router.go
index 72025281..ce5c067b 100644
--- a/controllers/torrent/router.go
+++ b/controllers/torrent/router.go
@@ -17,7 +17,7 @@ func init() {
 		torrentRoutes.POST("/tag", ViewFormTag)
 		torrentRoutes.GET("/tag/add", AddTag)
 		torrentRoutes.GET("/tag/remove", DeleteTag)
-		torrentRoutes.GET("/delete", TorrentDeleteUserPanel)
+		torrentRoutes.POST("/delete", TorrentDeleteUserPanel)
 	}
 	torrentViewRoutes := router.Get().Group("/view")
 	{
diff --git a/controllers/user/profile.go b/controllers/user/profile.go
index 9cb5c0ce..4a900b81 100644
--- a/controllers/user/profile.go
+++ b/controllers/user/profile.go
@@ -22,13 +22,30 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
+// UserProfileDelete :  Deleting User Profile
+func UserProfileDelete(c *gin.Context) {
+	id, _ := strconv.ParseUint(c.Param("id"), 10, 32)
+	
+	userProfile, _, errorUser := users.FindForAdmin(uint(id))
+	if errorUser == nil{
+		currentUser := router.GetUser(c)
+		if (currentUser.CurrentOrAdmin(userProfile.ID)) {
+			_, err := userProfile.Delete(currentUser)
+			if err == nil && currentUser.CurrentUserIdentical(userProfile.ID) {
+				cookies.Clear(c)
+			}
+		}
+		templates.Static(c, "site/static/delete_success.jet.html")
+	}
+}
+
 // UserProfileHandler :  Getting User Profile
 func UserProfileHandler(c *gin.Context) {
 	id, _ := strconv.ParseUint(c.Param("id"), 10, 32)
 	Ts, _ := publicSettings.GetTfuncAndLanguageFromRequest(c)
 	messages := msg.GetMessages(c)
 
-	if id == 0 && ContainsNonNumbersChars(c.Param("id")) {
+	if c.Param("id") != "0" && id == 0 && ContainsNonNumbersChars(c.Param("id")) {
 		c.Redirect(http.StatusSeeOther, fmt.Sprintf("/username/%s", c.Param("id")))
 		return
 	}
@@ -40,13 +57,7 @@ func UserProfileHandler(c *gin.Context) {
 		unfollow := c.Request.URL.Query()["unfollowed"]
 		deleteVar := c.Request.URL.Query()["delete"]
 
-		if (deleteVar != nil) && (currentUser.CurrentOrAdmin(userProfile.ID)) {
-			_, err := userProfile.Delete(currentUser)
-			if err == nil && currentUser.CurrentUserIdentical(userProfile.ID) {
-				cookies.Clear(c)
-			}
-			templates.Static(c, "site/static/delete_success.jet.html")
-		} else {
+		if !((deleteVar != nil) && (currentUser.CurrentOrAdmin(userProfile.ID))) {
 			if follow != nil {
 				messages.AddInfof("infos", Ts("user_followed_msg"), userProfile.Username)
 			}
diff --git a/controllers/user/router.go b/controllers/user/router.go
index 0ae20d89..a0b8c927 100644
--- a/controllers/user/router.go
+++ b/controllers/user/router.go
@@ -36,6 +36,7 @@ func init() {
 		userRoutes.GET("/:id/:username/search/:page", searchController.UserSearchHandler)
 		userRoutes.GET("/:id/:username/feed", feedController.RSSHandler)
 		userRoutes.GET("/:id/:username/feed/:page", feedController.RSSHandler)
+		userRoutes.POST("/:id/:username/delete", UserProfileDelete)
 	}
 	
 	router.Get().Any("/username", RedirectToUserSearch)
diff --git a/templates/admin/announcements.jet.html b/templates/admin/announcements.jet.html
index 1b6efb72..d4fc5495 100644
--- a/templates/admin/announcements.jet.html
+++ b/templates/admin/announcements.jet.html
@@ -21,9 +21,10 @@
                 <a href="/mod/announcement/form?id={{ .ID }}">{{ .Expire }}</a>
             </td>
             <td class="tr-actions home-td">
-                <a href="/mod/announcement/delete?id={{ .ID }}" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;">
-                <i class="icon-trash"></i> {{  T("delete") }}
-                </a>
+ 			  <form method="POST" action="/mod/announcement/delete">
+				  <input type="hidden" name="id" value="{{ .ID }}">
+				  <button type="submit" class="form-input btn-red"><i class="icon-trash"></i> {{  T("delete") }}</button>
+			  </form>
             </td>
         </tr>
         {{end}}
diff --git a/templates/admin/clientlist.jet.html b/templates/admin/clientlist.jet.html
index 3324d516..70935aab 100644
--- a/templates/admin/clientlist.jet.html
+++ b/templates/admin/clientlist.jet.html
@@ -17,9 +17,10 @@
                 <a href="/mod/oauth_client/form?id={{ .ID }}">{{ .Owner }}</a>
             </td>
             <td class="tr-actions home-td">
-                <a href="/mod/oauth_client/delete?id={{ .ID }}" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;">
-                <i class="icon-trash"></i> {{  T("delete") }}
-                </a>
+ 			  <form method="POST" action="/mod/oauth_client/delete">
+				  <input type="hidden" name="id" value="{{ .ID }}">
+				  <button type="submit" class="form-input btn-red"><i class="icon-trash"></i> {{  T("delete") }}</button>
+			  </form>
             </td>
         </tr>
         {{end}}
diff --git a/templates/admin/commentlist.jet.html b/templates/admin/commentlist.jet.html
index ca6cb506..2b195b1f 100644
--- a/templates/admin/commentlist.jet.html
+++ b/templates/admin/commentlist.jet.html
@@ -30,9 +30,10 @@
           {{end}}
         </td>
         <td class="tr-actions home-td">
-          <a href="/mod/comment/delete?id={{.ID}}" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;">
-            <i class="icon-trash"></i> {{  T("delete") }}
-          </a>
+ 			  <form method="POST" action="/mod/comment/delete">
+				  <input type="hidden" name="id" value="{{ .ID }}">
+				  <button type="submit" class="form-input btn-red"><i class="icon-trash"></i> {{  T("delete") }}</button>
+			  </form>
         </td>
       </tr>
       {{end}}
diff --git a/templates/admin/index.jet.html b/templates/admin/index.jet.html
index 28c10253..3484fa72 100644
--- a/templates/admin/index.jet.html
+++ b/templates/admin/index.jet.html
@@ -22,9 +22,10 @@
           <a href="/mod/torrents?userID={{.UploaderID}}">{{ .UploaderID }}</a>
         </td>
         <td class="tr-size home-td">
-          <a href="/mod/torrent/delete?id={{ .ID }}" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;">
-            <i class="icon-trash"></i> {{  T("delete") }}
-          </a>
+		  <form method="POST" action="/mod/torrent/delete">
+			<input type="hidden" name="id" value="{{ .ID }}">
+		    <button type="submit" class="form-input btn-red"onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;"><i class="icon-trash"></i> {{  T("delete") }}</button>
+		  </form>
         </td>
       </tr>
       {{end}}
@@ -57,8 +58,10 @@
         <td class="tr-size home-td">{{.User.Username}}</td>
         <td class="tr-actions home-td">{{ getReportDescription(.Description,T) }}</td>
         <td class="tr-actions home-td">
-          <a href="/mod/report/delete?id={{ .ID }}" class="form-input btn-red">
-            <i class="icon-trash"></i> {{  T("delete") }}</a>
+		  <form method="POST" action="/mod/report/delete" >
+			<input type="hidden" name="id" value="{{ .ID }}">
+		    <button type="submit" class="form-input btn-red"><i class="icon-trash"></i> {{  T("delete") }}</button>
+		  </form>
         </td>
       </tr>
       {{end}}
@@ -85,9 +88,9 @@
           <a href="/user/{{.ID}}/{{.Username }}">{{ .Username }}</a>
         </td>
         <td class="tr-size home-td">{{if .ID > 0}}
-          <a href="/user/{{.ID}}/{{.Username }}?delete" class="form-input btn-red" onclick="if (!confirm('{{ T(" are_you_sure ") }}')) return false;">
-            <i class="icon-trash"></i> {{  T("delete") }}
-          </a>
+		  <form method="POST" action="/user/{{.ID}}/{{.Username }}/delete" >
+		    <button type="submit" class="form-input btn-red" onclick="if (!confirm('{{ T(" are_you_sure ") }}')) return false;"><i class="icon-trash"></i> {{  T("delete") }}</button>
+		  </form>
           {{end}}
         </td>
       </tr>
@@ -121,9 +124,10 @@
           </a>
         </td>
         <td class="tr-size home-td">
-          <a href="/mod/comment/delete?id={{ .ID }}" class="form-input delete-btn btn-red">
-            <i class="icon-trash"></i> {{  T("delete") }}
-          </a>
+ 			<form method="POST" action="/mod/comment/delete">
+			     <input type="hidden" name="id" value="{{ .ID }}">
+				<button type="submit" class="form-input btn-red"><i class="icon-trash"></i> {{  T("delete") }}</button>
+			</form>
         </td>
       </tr>
       {{end}}
@@ -140,6 +144,7 @@
 <script type="text/javascript">
  var deleteButtons = document.getElementsByClassName("delete-btn")
  for(var i = 0; i < deleteButtons.length; i++) {
+	break;
    deleteButtons[i].addEventListener("click", function (e) {
 	    e.preventDefault()
      Query.Get(this.href, function(data) {})
diff --git a/templates/admin/torrent_report.jet.html b/templates/admin/torrent_report.jet.html
index e2332871..c6713761 100644
--- a/templates/admin/torrent_report.jet.html
+++ b/templates/admin/torrent_report.jet.html
@@ -22,13 +22,14 @@
         <td class="tr-size home-td">{{.User.Username}}</td>
         <td class="tr-actions home-td">{{ getReportDescription(.Description, T) }}</td>
         <td class="tr-actions home-td">
-          <a href="/mod/torrent/delete?id={{ .Torrent.ID }}" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;">
-            <i class="icon-trash"></i>{{  T("delete_torrent") }}
-          </a>
-          <br/>
-          <a href="/mod/report/delete?id={{ .ID }}" class="form-input btn-red">
-            <i class="icon-trash"></i>{{  T("delete_report") }}
-          </a>
+ 			  <form method="POST" action="/mod/torrent/delete">
+				  <input type="hidden" name="id" value="{{ .Torrent }}">
+				  <button type="submit" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;"><i class="icon-trash"></i> {{  T("delete_torrent") }}</button>
+			  </form>
+ 			  <form method="POST" action="/mod/report/delete">
+				  <input type="hidden" name="id" value="{{ .ID }}">
+				  <button type="submit" class="form-input btn-red"><i class="icon-trash"></i> {{  T("delete_report") }}</button>
+			  </form>
         </td>
       </tr>
       {{end}}
diff --git a/templates/admin/torrentlist.jet.html b/templates/admin/torrentlist.jet.html
index db6922d9..da86a73c 100644
--- a/templates/admin/torrentlist.jet.html
+++ b/templates/admin/torrentlist.jet.html
@@ -64,14 +64,16 @@
             </a>
             {{ if .IsDeleted }}
             <br/>
-            <a href="/mod/torrent/delete?definitely&id={{ .ID }}" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ")}} {{  T("delete_definitely_torrent_warning ")}}')) return false;">
-              <i class="icon-trash"></i>
-               {{  T("delete_definitely") }}
-             </a>
+			  <form method="POST" action="/mod/torrent/delete">
+				<input type="hidden" name="id" value="{{ .ID }}">
+				<input type="hidden" name="definitely" value="true">
+				<button type="submit" class="form-input btn-red"onclick="if (!confirm('{{  T(" are_you_sure ") }} {{  T("delete_definitely_torrent_warning ")}}')) return false;"><i class="icon-trash"></i> {{  T("delete_definitely") }}</button>
+			  </form>
              {{ else }}
-            <a href="/mod/torrent/delete?id={{ .ID }}" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ")}}')) return false;">
-              <i class="icon-trash"></i> {{  T("delete") }}
-            </a>
+			  <form method="POST" action="/mod/torrent/delete">
+				<input type="hidden" name="id" value="{{ .ID }}">
+				<button type="submit" class="form-input btn-red"onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;"><i class="icon-trash"></i> {{  T("delete") }}</button>
+			  </form>
             {{ end }}
           </td>
         </tr>
diff --git a/templates/admin/userlist.jet.html b/templates/admin/userlist.jet.html
index e5bb62d7..9ca637a7 100644
--- a/templates/admin/userlist.jet.html
+++ b/templates/admin/userlist.jet.html
@@ -18,9 +18,9 @@
         </td>
         <td class="tr-actions home-td">
           {{if .ID > 0}}
-          <a href="/user/{{.ID}}/{{.Username }}?delete" class="form-input btn-red" onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;">
-            <i class="icon-trash"></i> {{  T("delete") }}
-          </a>
+			  <form method="POST" action="/user/{{.ID}}/{{.Username }}/delete">
+				  <button type="submit" class="form-input btn-red"onclick="if (!confirm('{{  T(" are_you_sure ") }}')) return false;"><i class="icon-trash"></i> {{  T("delete") }}</button>
+			  </form>
           {{end}}
         </td>
       </tr>
diff --git a/templates/site/user/edit.jet.html b/templates/site/user/edit.jet.html
index d2944d1d..8a833574 100644
--- a/templates/site/user/edit.jet.html
+++ b/templates/site/user/edit.jet.html
@@ -261,6 +261,8 @@
   </form>
 {{ if User.CurrentOrAdmin(UserProfile.ID) }}
 <hr/>
-<a href="/user/{{UserProfile.ID}}/{{UserProfile.Username}}?delete" onclick="if (!confirm('{{  T("delete_account_confirm") }}')) return false;" class="form-input btn-red" style="float:right">{{  T("delete_account")}}</a>
+<form method="POST" action="/user/{{UserProfile.ID}}/{{UserProfile.Username}}/delete" >
+  <button type="submit" class="form-input btn-red"onclick="if (!confirm('{{  T(" delete_account_confirm ") }}')) return false;" style="float:right">{{  T("delete_account") }}</button>
+</form>
 {{end}}
 {{end}}