deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Might as well

Browse source 
Spammers aren't an issue here, but might as well enforce that these actions are POST-only, too.
This commit is contained in:
Jacques Distler 2007-10-07 03:33:15 -05:00
parent 2484542f12
commit 179a0a9cb2
1 changed files with 15 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
app/controllers/admin_controller.rb
View file

@ -27,6 +27,11 @@ class AdminController < ApplicationController
def create_web def create_web
if params['address'] if params['address']
unless (request.post? || ENV["RAILS_ENV"] == "test")
headers['Allow'] = 'POST'
render(:status => 405, :text => 'You must use an HTTP POST')
return
end
# form submitted # form submitted
if @wiki.authenticate(params['system_password']) if @wiki.authenticate(params['system_password'])
begin begin
@ -49,6 +54,11 @@ class AdminController < ApplicationController
def edit_web def edit_web
system_password = params['system_password'] system_password = params['system_password']
if system_password if system_password
unless (request.post? || ENV["RAILS_ENV"] == "test")
headers['Allow'] = 'POST'
render(:status => 405, :text => 'You must use an HTTP POST')
return
end
# form submitted # form submitted
if wiki.authenticate(system_password) if wiki.authenticate(system_password)
begin begin
@ -81,6 +91,11 @@ class AdminController < ApplicationController
end end
def remove_orphaned_pages def remove_orphaned_pages
unless (request.post? || ENV["RAILS_ENV"] == "test")
headers['Allow'] = 'POST'
render(:status => 405, :text => 'You must use an HTTP POST')
return
end
if wiki.authenticate(params['system_password_orphaned']) if wiki.authenticate(params['system_password_orphaned'])
wiki.remove_orphaned_pages(@web_name) wiki.remove_orphaned_pages(@web_name)
flash[:info] = 'Orphaned pages removed' flash[:info] = 'Orphaned pages removed'