From bc708bb0a35670f97bd3185f4b94a45a070de437 Mon Sep 17 00:00:00 2001
From: SysAdmin <sysadmin@silverlabs.uk>
Date: Wed, 24 Sep 2025 18:02:17 +0100
Subject: [PATCH] Fix missing CSRF tokens in all delete forms

- Added @Html.AntiForgeryToken() to Products delete form
- Added @Html.AntiForgeryToken() to Categories delete form
- Added @Html.AntiForgeryToken() to Users delete form
- Added @Html.AntiForgeryToken() to ShippingRates delete form
- Added @Html.AntiForgeryToken() to Product Variations delete form

This fixes the 400 Bad Request errors when trying to delete items
---
 .claude/settings.local.json                             | 4 +++-
 LittleShop/Areas/Admin/Views/Categories/Index.cshtml    | 3 ++-
 LittleShop/Areas/Admin/Views/Products/Index.cshtml      | 1 +
 LittleShop/Areas/Admin/Views/Products/Variations.cshtml | 1 +
 LittleShop/Areas/Admin/Views/ShippingRates/Index.cshtml | 3 ++-
 LittleShop/Areas/Admin/Views/Users/Index.cshtml         | 3 ++-
 6 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
index ea08d28..5d5d2d5 100644
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -30,7 +30,9 @@
       "Bash(tasklist)",
       "Bash(findstr:*)",
       "Read(//mnt/c/Production/Source/SilverLABS/SilverPAY/**)",
-      "Bash(git commit:*)"
+      "Bash(git commit:*)",
+      "Bash(docker build:*)",
+      "Bash(git fetch:*)"
     ],
     "deny": [],
     "ask": []
diff --git a/LittleShop/Areas/Admin/Views/Categories/Index.cshtml b/LittleShop/Areas/Admin/Views/Categories/Index.cshtml
index 2dd588f..65f997c 100644
--- a/LittleShop/Areas/Admin/Views/Categories/Index.cshtml
+++ b/LittleShop/Areas/Admin/Views/Categories/Index.cshtml
@@ -56,8 +56,9 @@
                                         <a href="@Url.Action("Edit", new { id = category.Id })" class="btn btn-outline-primary">
                                             <i class="fas fa-edit"></i>
                                         </a>
-                                        <form method="post" action="@Url.Action("Delete", new { id = category.Id })" class="d-inline" 
+                                        <form method="post" action="@Url.Action("Delete", new { id = category.Id })" class="d-inline"
                                               onsubmit="return confirm('Are you sure you want to delete this category?')">
+                                            @Html.AntiForgeryToken()
                                             <button type="submit" class="btn btn-outline-danger">
                                                 <i class="fas fa-trash"></i>
                                             </button>
diff --git a/LittleShop/Areas/Admin/Views/Products/Index.cshtml b/LittleShop/Areas/Admin/Views/Products/Index.cshtml
index 97bb077..16ca46f 100644
--- a/LittleShop/Areas/Admin/Views/Products/Index.cshtml
+++ b/LittleShop/Areas/Admin/Views/Products/Index.cshtml
@@ -115,6 +115,7 @@
                                         </a>
                                         <form method="post" action="@Url.Action("Delete", new { id = product.Id })" class="d-inline"
                                               onsubmit="return confirm('Are you sure you want to delete this product?')">
+                                            @Html.AntiForgeryToken()
                                             <button type="submit" class="btn btn-outline-danger" title="Delete Product">
                                                 <i class="fas fa-trash"></i>
                                             </button>
diff --git a/LittleShop/Areas/Admin/Views/Products/Variations.cshtml b/LittleShop/Areas/Admin/Views/Products/Variations.cshtml
index 419cc82..80675e8 100644
--- a/LittleShop/Areas/Admin/Views/Products/Variations.cshtml
+++ b/LittleShop/Areas/Admin/Views/Products/Variations.cshtml
@@ -80,6 +80,7 @@
                                         </a>
                                         <form method="post" action="@Url.Action("DeleteVariation", new { id = variation.Id })" class="d-inline"
                                               onsubmit="return confirm('Are you sure you want to delete this variation?')">
+                                            @Html.AntiForgeryToken()
                                             <button type="submit" class="btn btn-outline-danger" title="Delete Variation">
                                                 <i class="fas fa-trash"></i>
                                             </button>
diff --git a/LittleShop/Areas/Admin/Views/ShippingRates/Index.cshtml b/LittleShop/Areas/Admin/Views/ShippingRates/Index.cshtml
index 4da4efe..c5a9882 100644
--- a/LittleShop/Areas/Admin/Views/ShippingRates/Index.cshtml
+++ b/LittleShop/Areas/Admin/Views/ShippingRates/Index.cshtml
@@ -62,8 +62,9 @@
                                         <a href="@Url.Action("Edit", new { id = rate.Id })" class="btn btn-outline-primary">
                                             <i class="fas fa-edit"></i>
                                         </a>
-                                        <form method="post" action="@Url.Action("Delete", new { id = rate.Id })" class="d-inline" 
+                                        <form method="post" action="@Url.Action("Delete", new { id = rate.Id })" class="d-inline"
                                               onsubmit="return confirm('Are you sure you want to delete this shipping rate?')">
+                                            @Html.AntiForgeryToken()
                                             <button type="submit" class="btn btn-outline-danger">
                                                 <i class="fas fa-trash"></i>
                                             </button>
diff --git a/LittleShop/Areas/Admin/Views/Users/Index.cshtml b/LittleShop/Areas/Admin/Views/Users/Index.cshtml
index ac9a167..548ad33 100644
--- a/LittleShop/Areas/Admin/Views/Users/Index.cshtml
+++ b/LittleShop/Areas/Admin/Views/Users/Index.cshtml
@@ -68,8 +68,9 @@
                                         </a>
                                         @if (user.Username != "admin")
                                         {
-                                            <form method="post" action="@Url.Action("Delete", new { id = user.Id })" class="d-inline" 
+                                            <form method="post" action="@Url.Action("Delete", new { id = user.Id })" class="d-inline"
                                                   onsubmit="return confirm('Are you sure you want to delete this user?')">
+                                                @Html.AntiForgeryToken()
                                                 <button type="submit" class="btn btn-outline-danger">
                                                     <i class="fas fa-trash"></i>
                                                 </button>