miniflux/ui/feed_remove.go
Frédéric Guillot 32439ca2f0 Security fix: any user can delete any feed
Regression introduced in commit 51fb949.
2021-05-07 16:25:44 -07:00

29 lines
699 B
Go

// Copyright 2018 Frédéric Guillot. All rights reserved.
// Use of this source code is governed by the Apache 2.0
// license that can be found in the LICENSE file.
package ui // import "miniflux.app/ui"
import (
"net/http"
"miniflux.app/http/request"
"miniflux.app/http/response/html"
"miniflux.app/http/route"
)
func (h *handler) removeFeed(w http.ResponseWriter, r *http.Request) {
feedID := request.RouteInt64Param(r, "feedID")
if !h.store.FeedExists(request.UserID(r), feedID) {
html.NotFound(w, r)
return
}
if err := h.store.RemoveFeed(request.UserID(r), feedID); err != nil {
html.ServerError(w, r, err)
return
}
html.Redirect(w, r, route.Path(h.router, "feeds"))
}