fix: secure link password deletion (#1126)

realodix · web-flow · commit 875ebb9af903 · 2025-08-19T16:01:20.000+07:00
diff --git a/resources/views/backend/edit.blade.php b/resources/views/backend/edit.blade.php
@@ -140,9 +140,11 @@ class="col-span-6"
                                         @svg('icon-key', 'mr-1') Edit Password
                                     </button>
 
-                                    <a href="{{ route('link.password.delete', $url) }}" onclick="return confirm('Are you sure you want to remove the password?')" class="btn btn-delete-danger btn-sm dark:text-red-700! dark:hover:text-red-400! dark:border-red-900!">
+                                    <button type="button" x-on:click="$dispatch('open-modal', 'remove-password-modal')"
+                                        class="btn btn-delete-danger btn-sm dark:text-red-700! dark:hover:text-red-400! dark:border-red-900!"
+                                    >
                                         Remove Password
-                                    </a>
+                                    </button>
                                 @else
                                     <button type="button" title="Add Password" x-on:click="$dispatch('open-modal', 'add-password-modal')" class="btn btn-sm">
                                         @svg('icon-key', 'mr-1') Add Password
@@ -213,6 +215,26 @@ class="flatpickr-input form-input"
         @include('backend.linkpassword.create')
     @else
         @include('backend.linkpassword.edit')
+
+        <x-modal name="remove-password-modal" maxWidth="md">
+            <x-slot:title>Remove Password for <span class="font-semibold">{{ $url->keyword }}</span></x-slot:title>
+            <form method="post" action="{{ route('link.password.delete', $url) }}" class="space-y-6">
+                @csrf @method('DELETE')
+                <p class="font-light text-sm dark:text-dark-400 mt-2 mb-2">
+                    Are you sure you want to remove the password for this link? This action cannot be undone.
+                </p>
+
+                <div class="flex justify-end items-center">
+                    <button type="button"
+                        x-on:click="$dispatch('close-modal', 'remove-password-modal')"
+                        class="btn btn-secondary mr-2"
+                    >
+                        Cancel
+                    </button>
+                    <button type="submit" class="btn btn-delete-danger">Remove Password</button>
+                </div>
+            </form>
+        </x-modal>
     @endif
 </div>
 @endsection
diff --git a/routes/web.php b/routes/web.php
@@ -27,7 +27,7 @@
         Route::delete('/delete/{url:keyword}', [LinkController::class, 'delete'])->name('link.delete');
         Route::post('/password/store/{url:keyword}', [LinkPasswordController::class, 'store'])->name('link.password.store');
         Route::post('/password/update/{url:keyword}', [LinkPasswordController::class, 'update'])->name('link.password.update');
-        Route::get('/password/delete/{url:keyword}', [LinkPasswordController::class, 'delete'])->name('link.password.delete');
+        Route::delete('/password/delete/{url:keyword}', [LinkPasswordController::class, 'delete'])->name('link.password.delete');
         Route::get('/tag/restricted', [DashboardController::class, 'restrictedLinkView'])->name('dboard.links.restricted');
         Route::get('/tag/restricted/{user:name}', [DashboardController::class, 'userRestrictedLinkView'])
             ->name('dboard.links.user.restricted');
diff --git a/tests/Feature/AuthPage/LinkAuthorizationTest.php b/tests/Feature/AuthPage/LinkAuthorizationTest.php
@@ -196,7 +196,7 @@ public function password_delete_adminCanAccessAll()
     {
         $url = Url::factory()->create(['password' => 'password']);
         $this->actingAs($this->adminUser())
-            ->get(route('link.password.delete', $url));
+            ->delete(route('link.password.delete', $url));
 
         $this->assertNull($url->fresh()->password);
     }
diff --git a/tests/Feature/AuthPage/LinkTest.php b/tests/Feature/AuthPage/LinkTest.php
@@ -247,7 +247,7 @@ public function testRemovePasswordFromLink()
         $url = Url::factory()->create(['password' => 'password']);
         $response = $this->actingAs($url->author)
             ->from(route('link.edit', $url))
-            ->get(route('link.password.delete', $url));
+            ->delete(route('link.password.delete', $url));
 
         $response
             ->assertRedirectToRoute('link.edit', $url)

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,7 @@ public function password_delete_adminCanAccessAll()`
`196`	`196`	`{`
`197`	`197`	`$url = Url::factory()->create(['password' => 'password']);`
`198`	`198`	`$this->actingAs($this->adminUser())`
`199`		`- ->get(route('link.password.delete', $url));`
	`199`	`+ ->delete(route('link.password.delete', $url));`
`200`	`200`
`201`	`201`	`$this->assertNull($url->fresh()->password);`
`202`	`202`	`}`