From: mmd-osm <mmd.osm@gmail.com>
Date: Tue, 9 Feb 2021 18:46:17 +0000 (+0100)
Subject: Prevent CSRF bypass unblocking users
X-Git-Tag: live~2965
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/c49e400aa36d116ded8188240961d1e88b172ccd

Prevent CSRF bypass unblocking users
---

diff --git a/app/controllers/user_blocks_controller.rb b/app/controllers/user_blocks_controller.rb
index 058c442d5..63fca6557 100644
--- a/app/controllers/user_blocks_controller.rb
+++ b/app/controllers/user_blocks_controller.rb
@@ -79,7 +79,7 @@ class UserBlocksController < ApplicationController
   ##
   # revokes the block, setting the end_time to now
   def revoke
-    if params[:confirm] && @user_block.revoke!(current_user)
+    if request.post? && params[:confirm] && @user_block.revoke!(current_user)
       flash[:notice] = t ".flash"
       redirect_to(@user_block)
     end
diff --git a/test/controllers/user_blocks_controller_test.rb b/test/controllers/user_blocks_controller_test.rb
index d5db89615..3e2be801d 100644
--- a/test/controllers/user_blocks_controller_test.rb
+++ b/test/controllers/user_blocks_controller_test.rb
@@ -351,7 +351,14 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest
       assert_select "input[type='submit'][value='Revoke!']", :count => 1
     end
 
-    # Check that revoking a block works
+    # Check that revoking a block using GET should fail
+    get revoke_user_block_path(:id => active_block, :confirm => true)
+    assert_response :success
+    assert_template "revoke"
+    b = UserBlock.find(active_block.id)
+    assert b.ends_at - Time.now > 100
+
+    # Check that revoking a block works using POST
     post revoke_user_block_path(:id => active_block, :confirm => true)
     assert_redirected_to user_block_path(active_block)
     b = UserBlock.find(active_block.id)