Skip to content

security: change team member delete from GET to POST#199

Open
sumnerevans wants to merge 1 commit intomasterfrom
security/delete-via-post
Open

security: change team member delete from GET to POST#199
sumnerevans wants to merge 1 commit intomasterfrom
security/delete-via-post

Conversation

@sumnerevans
Copy link
Copy Markdown
Contributor

@sumnerevans sumnerevans commented Apr 12, 2026

Summary

  • GET /register/teacher/team/delete performed a destructive action (removing a team member)
  • Any <img src="...">, link prefetch, or browser history replay could trigger deletion for a logged-in teacher
  • Replaced the <a href> link in teamedit.html with a <form method=POST>
  • Switched the handler to read email and team_id from the form body instead of the query string

Test plan

  • Open team edit page, confirm the delete button still shows and the confirm dialog appears
  • Delete a team member, confirm they are removed and you are redirected back to the team edit page
  • Confirm GET /register/teacher/team/delete now returns 405 Method Not Allowed

🤖 Generated with Claude Code

@sumnerevans @claude
security: change team member delete from GET to POST
e276628 
Destructive operations must not be triggered via GET — any page with an
<img> or prefetch link pointing at the URL could silently delete members
for a logged-in teacher. Replaced the <a> link with a <form method=POST>
and switched the handler to read params from the form body.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sumnerevans