Added test + fix for form method spoofing

pascalbaljet · pascalbaljet · commit ef5ca67329d7 · 2022-10-14T20:45:42.000+02:00
diff --git a/app/resources/views/form/put.blade.php b/app/resources/views/form/put.blade.php
@@ -0,0 +1,13 @@
+@extends('layout')
+
+@section('content')
+
+FormPut
+
+<x-splade-form method="PUT">
+    <input v-model="form.name" dusk="name" />
+    <p v-text="form.errors.name" />
+    <button type="submit">Submit</button>
+</x-splade-form>
+
+@endsection
diff --git a/app/routes/web.php b/app/routes/web.php
@@ -71,6 +71,8 @@
 
     Route::view('form/simple', 'form.simple')->name('form.simple');
     Route::post('form/simple', SimpleFormController::class)->name('form.simple.submit');
+    Route::view('form/put', 'form.put')->name('form.put');
+    Route::put('form/put', SimpleFormController::class)->name('form.put.submit');
     Route::post('form/slow', SlowFormController::class)->name('form.slow.submit');
     Route::post('form/back', BackFormController::class)->name('form.back.submit');
 
diff --git a/app/tests/Browser/FormTest.php b/app/tests/Browser/FormTest.php
@@ -19,6 +19,18 @@ public function it_can_show_the_errors()
         });
     }
 
+    /** @test */
+    public function it_can_submit_to_a_non_post_endpoint()
+    {
+        $this->browse(function (Browser $browser) {
+            $browser->visit('/form/put')
+                ->waitForText('FormPut')
+                ->press('Submit')
+                ->waitForText('The name field is required.')
+                ->assertSee('The name field is required.');
+        });
+    }
+
     /** @test */
     public function it_can_upload_a_file()
     {
diff --git a/lib/Components/Form.vue b/lib/Components/Form.vue
@@ -263,7 +263,14 @@ export default {
                 headers["X-Splade-Prevent-Refresh"] = true;
             }
 
-            Splade.request(this.action, this.method.toUpperCase(), data, headers)
+            let method = this.method.toUpperCase();
+
+            if(method !== "GET" && method !== "POST") {
+                data.append("_method", method);
+                method = "POST";
+            }
+
+            Splade.request(this.action, method, data, headers)
                 .then((response) => {
                     this.$emit("success", response);
 
