From 9c516f771243e19497b7bec1cd1662aa98e46afb Mon Sep 17 00:00:00 2001
From: Flummi <flummi@f0ck.space>
Date: Thu, 24 Mar 2022 16:13:51 +0100
Subject: [PATCH] ...

---
 public/s/js/admin.js     | 34 +++++++++++++++++++++++++---------
 src/inc/routes/apiv2.mjs | 26 +++++++++++++-------------
 2 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/public/s/js/admin.js b/public/s/js/admin.js
index cb6ad92..e32caf4 100644
--- a/public/s/js/admin.js
+++ b/public/s/js/admin.js
@@ -54,23 +54,39 @@ const flash = ({ type, msg }) => {
       renderTags(res.tags);
     };
 
-    const get = async (url, data) => {
-      let s = [];
-      for(const [ key, val ] of Object.entries(data))
-        s.push(encodeURIComponent(key) + "=" + encodeURIComponent(val));
-      return (await fetch(url + "?" + s.join("&"))).json();
+    const queryapi = async (url, data, method = 'GET') => {
+      let req;
+      if(method == 'POST') {
+        req = await fetch(url, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify(data)
+        });
+      }
+      else {
+        let s = [];
+        for(const [ key, val ] of Object.entries(data))
+          s.push(encodeURIComponent(key) + "=" + encodeURIComponent(val));
+        req = await fetch(url + '?' + s.join('&'));
+      }
+      return await req.json();
     };
 
-    const deletePost = async postid => await get("/api/v2/admin/deletepost", {
+    const get  = async (url, data) => queryapi(url, data, 'GET');
+    const post = async (url, data) => queryapi(url, data, 'POST');
+
+    const deletePost = async postid => await post("/api/v2/admin/deletepost", {
       postid: postid
     });
   
-    const addTag = async (postid, tag) => await get("/api/v2/admin/tags/add", {
+    const addTag = async (postid, tag) => await post("/api/v2/admin/tags/add", {
       postid: postid,
       tag: tag
     });
   
-    const deleteTag = async (postid, tagid) => await get("/api/v2/admin/tags/delete", {
+    const deleteTag = async (postid, tagid) => await post("/api/v2/admin/tags/delete", {
       postid: postid,
       tagid: tagid
     });
@@ -235,7 +251,7 @@ const flash = ({ type, msg }) => {
     };
 
     const toggleFavEvent = async e => {
-      const res = await get('/api/v2/admin/togglefav', {
+      const res = await post('/api/v2/admin/togglefav', {
         postid: postid
       });
       if(res.success) {
diff --git a/src/inc/routes/apiv2.mjs b/src/inc/routes/apiv2.mjs
index 8fd0e6b..ab04b46 100644
--- a/src/inc/routes/apiv2.mjs
+++ b/src/inc/routes/apiv2.mjs
@@ -85,16 +85,16 @@ export default (router, tpl) => {
     });
   
     // adminzeugs
-    group.get(/\/admin\/tags\/add$/, auth, async (req, res) => {
-      if(!req.url.qs.postid || !req.url.qs.tag) {
+    group.post(/\/admin\/tags\/add$/, auth, async (req, res) => {
+      if(!req.post.postid || !req.post.tag) {
         return res.reply({ body: JSON.stringify({
           success: false,
           msg: "missing postid or tag"
         })});
       }
   
-      const postid = +req.url.qs.postid;
-      const tag = req.url.qs.tag?.trim();
+      const postid = +req.post.postid;
+      const tag = req.post.tag?.trim();
   
       if(tag.length >= 45) {
         return res.reply({ body: JSON.stringify({
@@ -136,16 +136,16 @@ export default (router, tpl) => {
       })});
     });
   
-    group.get(/\/admin\/tags\/delete$/, auth, async (req, res) => {
-      if(!req.url.qs.postid || !req.url.qs.tagid) {
+    group.post(/\/admin\/tags\/delete$/, auth, async (req, res) => {
+      if(!req.post.postid || !req.post.tagid) {
         return res.reply({ body: JSON.stringify({
           success: false,
           msg: "missing postid or tag"
         })});
       }
   
-      const postid = +req.url.qs.postid;
-      const tagid = +req.url.qs.tagid;
+      const postid = +req.post.postid;
+      const tagid = +req.post.tagid;
   
       const tags = await lib.getTags(postid);
   
@@ -206,14 +206,14 @@ export default (router, tpl) => {
       })});
     });
   
-    group.get(/\/admin\/deletepost$/, auth, async (req, res) => {
-      if(!req.url.qs.postid) {
+    group.post(/\/admin\/deletepost$/, auth, async (req, res) => {
+      if(!req.post.postid) {
         return res.reply({ body: JSON.stringify({
           success: true,
           msg: "no postid"
         })});
       }
-      const postid = +req.url.qs.postid;
+      const postid = +req.post.postid;
   
       await sql("items").where("id", postid).del();
       res.reply({ body: JSON.stringify({
@@ -221,8 +221,8 @@ export default (router, tpl) => {
       })});
     });
 
-    group.get(/\/admin\/togglefav$/, auth, async (req, res) => {
-      const postid = +req.url.qs.postid;
+    group.post(/\/admin\/togglefav$/, auth, async (req, res) => {
+      const postid = +req.post.postid;
       
       let favs = await sql('favorites').select('user_id').where('item_id', postid);