From 740ba0dd38afbb1f67605b5cf04942191f5b8e4f Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 14 Aug 2012 22:49:07 +0100 Subject: [PATCH] Require POST for make_friend and remove_friend Note that this breaks the make_friend link in friend notfication emails, but it will do as a temporary measure. --- app/views/user/_contact.html.erb | 4 ++-- app/views/user/view.html.erb | 4 ++-- config/routes.rb | 4 ++-- test/functional/user_controller_test.rb | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/views/user/_contact.html.erb b/app/views/user/_contact.html.erb index 9bac0dc2d..2418ed24c 100644 --- a/app/views/user/_contact.html.erb +++ b/app/views/user/_contact.html.erb @@ -33,9 +33,9 @@ <%= link_to t('user.view.send message'), :controller => 'message', :action => 'new', :display_name => contact.display_name %> | <% if @user.is_friends_with?(contact) %> - <%= link_to t('user.view.remove as friend'), :controller => 'user', :action => 'remove_friend', :display_name => contact.display_name, :referer => request.fullpath %> + <%= link_to t('user.view.remove as friend'), :controller => 'user', :action => 'remove_friend', :display_name => contact.display_name, :referer => request.fullpath, :method => :post %> <% else %> - <%= link_to t('user.view.add as friend'), :controller => 'user', :action => 'make_friend', :display_name => contact.display_name, :referer => request.fullpath %> + <%= link_to t('user.view.add as friend'), :controller => 'user', :action => 'make_friend', :display_name => contact.display_name, :referer => request.fullpath, :method => :post %> <% end %> diff --git a/app/views/user/view.html.erb b/app/views/user/view.html.erb index f8af1fccf..70e4f1828 100644 --- a/app/views/user/view.html.erb +++ b/app/views/user/view.html.erb @@ -39,9 +39,9 @@ <%= link_to t('user.view.comments'), :controller => 'diary_entry', :action => 'comments', :display_name => @this_user.display_name %> | <% if @user and @user.is_friends_with?(@this_user) %> - <%= link_to t('user.view.remove as friend'), :controller => 'user', :action => 'remove_friend', :display_name => @this_user.display_name %> + <%= link_to t('user.view.remove as friend'), :controller => 'user', :action => 'remove_friend', :display_name => @this_user.display_name, :method => :post %> <% else %> - <%= link_to t('user.view.add as friend'), :controller => 'user', :action => 'make_friend', :display_name => @this_user.display_name %> + <%= link_to t('user.view.add as friend'), :controller => 'user', :action => 'make_friend', :display_name => @this_user.display_name, :method => :post %> <% end %> <% if @this_user.blocks.exists? %> | diff --git a/config/routes.rb b/config/routes.rb index 6b8164537..c5119b945 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -174,8 +174,8 @@ OpenStreetMap::Application.routes.draw do # user pages match '/user/:display_name' => 'user#view', :via => :get, :as => "user" - match '/user/:display_name/make_friend' => 'user#make_friend', :via => :get - match '/user/:display_name/remove_friend' => 'user#remove_friend', :via => :get + match '/user/:display_name/make_friend' => 'user#make_friend', :via => :post + match '/user/:display_name/remove_friend' => 'user#remove_friend', :via => :post match '/user/:display_name/account' => 'user#account', :via => [:get, :post] match '/user/:display_name/set_status' => 'user#set_status', :via => :get, :as => :set_status_user match '/user/:display_name/delete' => 'user#delete', :via => :get, :as => :delete_user diff --git a/test/functional/user_controller_test.rb b/test/functional/user_controller_test.rb index 4379a1d49..e85308183 100644 --- a/test/functional/user_controller_test.rb +++ b/test/functional/user_controller_test.rb @@ -140,11 +140,11 @@ class UserControllerTest < ActionController::TestCase ) assert_routing( - { :path => "/user/username/make_friend", :method => :get }, + { :path => "/user/username/make_friend", :method => :post }, { :controller => "user", :action => "make_friend", :display_name => "username" } ) assert_routing( - { :path => "/user/username/remove_friend", :method => :get }, + { :path => "/user/username/remove_friend", :method => :post }, { :controller => "user", :action => "remove_friend", :display_name => "username" } ) -- 2.43.2