security: change team member delete from GET to POST

Destructive operations must not be triggered via GET — any page with an
<img> or prefetch link pointing at the URL could silently delete members
for a logged-in teacher. Replaced the <a> link with a <form method=POST>
and switched the handler to read params from the form body.

Co-Authored-By: Claude Sonnet 4.6 <[email protected]>

Author: sumnerevans

internal/application.go

@@ -190,7 +190,7 @@ func (a *Application) Start() {
 	}
 
 	// Delete Team member
-	router.HandleFunc("GET /register/teacher/team/delete", a.HandleTeacherDeleteMember)
+	router.HandleFunc("POST /register/teacher/team/delete", a.HandleTeacherDeleteMember)
 
 	// Email confirmation code handling
 	router.HandleFunc("GET /register/teacher/emaillogin", a.HandleTeacherEmailLogin)

internal/teacherteammembers.go

@@ -248,8 +248,13 @@ func (a *Application) HandleTeacherDeleteMember(w http.ResponseWriter, r *http.R
 		return
 	}
 
-	email := r.URL.Query().Get("email")
-	teamIDStr := r.URL.Query().Get("team_id")
+	if err := r.ParseForm(); err != nil {
+		a.Log.Err(err).Msg("failed to parse form")
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+	email := r.FormValue("email")
+	teamIDStr := r.FormValue("team_id")
 	log := a.Log.With().
 		Str("page_name", "teacher_delete_member").
 		Str("team_id", teamIDStr).

website/templates/teamedit.html

@@ -174,11 +174,14 @@ <h4 class="card-header">Team Members</h4>
                     <td>{{ if .PreviouslyParticipated }}Yes{{ else }}No{{ end }}</td>
                     <td>{{ .ParentEmail }}</td>
                     <td class="text-center">
-                      <a href="/register/teacher/team/delete?team_id={{ $t.ID }}&email={{ .Email }}"
-                         onclick="return confirm('Are you sure you want to remove {{ .Name }} from {{ $t.Name }}?')"
-                         class="btn btn-danger">
-                        <i class="fa fa-times"></i>
-                      </a>
+                      <form method="POST" action="/register/teacher/team/delete"
+                            onsubmit="return confirm('Are you sure you want to remove {{ .Name }} from {{ $t.Name }}?')">
+                        <input type="hidden" name="team_id" value="{{ $t.ID }}">
+                        <input type="hidden" name="email" value="{{ .Email }}">
+                        <button type="submit" class="btn btn-danger">
+                          <i class="fa fa-times"></i>
+                        </button>
+                      </form>
                     </td>
                   </tr>
                 {{ end }}