Prevent CSRF bypass unblocking users

diff --git a/app/controllers/user_blocks_controller.rb b/app/controllers/user_blocks_controller.rb
index 058c442d50999aef995831cc9598bb9e8906c8b9..63fca655750830184e5a0d221326b050426e5fce 100644 (file)
--- a/app/controllers/user_blocks_controller.rb
+++ b/app/controllers/user_blocks_controller.rb
@@ -79,7 +79,7 @@ class UserBlocksController < ApplicationController
   ##
   # revokes the block, setting the end_time to now
   def revoke
-    if params[:confirm] && @user_block.revoke!(current_user)
+    if request.post? && params[:confirm] && @user_block.revoke!(current_user)
       flash[:notice] = t ".flash"
       redirect_to(@user_block)
     end

diff --git a/test/controllers/user_blocks_controller_test.rb b/test/controllers/user_blocks_controller_test.rb
index d5db896151fd08f14f181cb61fbdd4605e11d206..3e2be801da33e903bf4db4d874ae67c3051ed43c 100644 (file)
--- a/test/controllers/user_blocks_controller_test.rb
+++ b/test/controllers/user_blocks_controller_test.rb
@@ -351,7 +351,14 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest
       assert_select "input[type='submit'][value='Revoke!']", :count => 1
     end
 
-    # Check that revoking a block works
+    # Check that revoking a block using GET should fail
+    get revoke_user_block_path(:id => active_block, :confirm => true)
+    assert_response :success
+    assert_template "revoke"
+    b = UserBlock.find(active_block.id)
+    assert b.ends_at - Time.now > 100
+
+    # Check that revoking a block works using POST
     post revoke_user_block_path(:id => active_block, :confirm => true)
     assert_redirected_to user_block_path(active_block)
     b = UserBlock.find(active_block.id)