Might as well

Spammers aren't an issue here, but might as well enforce that these actions are POST-only, too.
2007-10-07 03:33:15 -05:00 · 2007-10-07 03:33:15 -05:00 · 179a0a9cb2
parent 2484542f12
commit 179a0a9cb2
1 changed files with 15 additions and 0 deletions
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@ -27,6 +27,11 @@ class AdminController < ApplicationController

  def create_web
    if params['address']
+      unless (request.post? || ENV["RAILS_ENV"] == "test")
+        headers['Allow'] = 'POST'
+        render(:status => 405, :text => 'You must use an HTTP POST')
+        return
+      end
      # form submitted
      if @wiki.authenticate(params['system_password'])
        begin
@ -49,6 +54,11 @@ class AdminController < ApplicationController
  def edit_web
    system_password = params['system_password']
    if system_password
+      unless (request.post? || ENV["RAILS_ENV"] == "test")
+        headers['Allow'] = 'POST'
+        render(:status => 405, :text => 'You must use an HTTP POST')
+        return
+      end
      # form submitted
      if wiki.authenticate(system_password)
        begin
@ -81,6 +91,11 @@ class AdminController < ApplicationController
  end

  def remove_orphaned_pages
+    unless (request.post? || ENV["RAILS_ENV"] == "test")
+      headers['Allow'] = 'POST'
+      render(:status => 405, :text => 'You must use an HTTP POST')
+      return
+    end
    if wiki.authenticate(params['system_password_orphaned'])
      wiki.remove_orphaned_pages(@web_name)
      flash[:info] = 'Orphaned pages removed'