From 179a0a9cb2391c657d3580766e979346a52a20a3 Mon Sep 17 00:00:00 2001
From: Jacques Distler <distler@golem.ph.utexas.edu>
Date: Sun, 7 Oct 2007 03:33:15 -0500
Subject: [PATCH] Might as well Spammers aren't an issue here, but might as
 well enforce that these actions are POST-only, too.

---
 app/controllers/admin_controller.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 836a9b4f..29e3a2ff 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -27,6 +27,11 @@ class AdminController < ApplicationController
 
   def create_web
     if params['address']
+      unless (request.post? || ENV["RAILS_ENV"] == "test")
+        headers['Allow'] = 'POST'
+        render(:status => 405, :text => 'You must use an HTTP POST')
+        return
+      end
       # form submitted
       if @wiki.authenticate(params['system_password'])
         begin
@@ -49,6 +54,11 @@ class AdminController < ApplicationController
   def edit_web
     system_password = params['system_password']
     if system_password
+      unless (request.post? || ENV["RAILS_ENV"] == "test")
+        headers['Allow'] = 'POST'
+        render(:status => 405, :text => 'You must use an HTTP POST')
+        return
+      end
       # form submitted
       if wiki.authenticate(system_password)
         begin
@@ -81,6 +91,11 @@ class AdminController < ApplicationController
   end
 
   def remove_orphaned_pages
+    unless (request.post? || ENV["RAILS_ENV"] == "test")
+      headers['Allow'] = 'POST'
+      render(:status => 405, :text => 'You must use an HTTP POST')
+      return
+    end
     if wiki.authenticate(params['system_password_orphaned'])
       wiki.remove_orphaned_pages(@web_name)
       flash[:info] = 'Orphaned pages removed'