marketing-shibata50/tududi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(admin): add CSRF token to admin user management operations (#1065)

Browse source 
Fixes #1064

Admin user operations (create, update, delete, toggle registration) were
failing with "CSRF token missing" error when accessed behind a reverse proxy.
This happened because the frontend was using plain fetch() instead of
fetchWithCsrf() utility which automatically includes the CSRF token header.

Changed all state-changing operations in AdminUsersPage to use fetchWithCsrf:
- createAdminUser (POST /admin/users)
- updateAdminUser (PUT /admin/users/:id)
- deleteAdminUser (DELETE /admin/users/:id)
- toggleRegistration (POST /admin/toggle-registration)
This commit is contained in:
Chris 2026-04-24 23:24:46 +03:00 committed by GitHub
parent 517a2ee7ea
commit aafb1877ae
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

9
frontend/components/Admin/AdminUsersPage.tsx
View file

@ -10,6 +10,7 @@ import {
import ConfirmDialog from '../Shared/ConfirmDialog';
import { getApiPath } from '../../config/paths';
import { useToast } from '../Shared/ToastContext';
import { fetchWithCsrf } from '../../utils/csrfService';
interface AdminUserItem {
id: number;
@ -43,7 +44,7 @@ const createAdminUser = async (
surname?: string,
role?: 'admin' | 'user'
): Promise<AdminUserItem> => {
const res = await fetch(getApiPath('admin/users'), {
const res = await fetchWithCsrf(getApiPath('admin/users'), {
method: 'POST',
credentials: 'include',
headers: {
@ -84,7 +85,7 @@ const updateAdminUser = async (
const body: any = { email, name, surname, role };
if (password) body.password = password;
const res = await fetch(getApiPath(`admin/users/${id}`), {
const res = await fetchWithCsrf(getApiPath(`admin/users/${id}`), {
method: 'PUT',
credentials: 'include',
headers: {
@ -116,7 +117,7 @@ const updateAdminUser = async (
};
const deleteAdminUser = async (id: number, t: any): Promise<void> => {
const res = await fetch(getApiPath(`admin/users/${id}`), {
const res = await fetchWithCsrf(getApiPath(`admin/users/${id}`), {
method: 'DELETE',
credentials: 'include',
headers: { Accept: 'application/json' },
@ -466,7 +467,7 @@ const AdminUsersPage: React.FC = () => {
// Toggle registration
const toggleRegistration = async () => {
try {
const res = await fetch(getApiPath('admin/toggle-registration'), {
const res = await fetchWithCsrf(getApiPath('admin/toggle-registration'), {
method: 'POST',
credentials: 'include',
headers: {