From: Tom Hughes Date: Thu, 9 Feb 2017 19:37:48 +0000 (+0000) Subject: Only send messages for POST requests X-Git-Tag: live~4147 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/4709d90594c3cc35b4bb4f8db259abf9f89c2fe6?ds=inline;hp=-c Only send messages for POST requests --- 4709d90594c3cc35b4bb4f8db259abf9f89c2fe6 diff --git a/app/controllers/message_controller.rb b/app/controllers/message_controller.rb index 0ec1c8eb6..f4c465c93 100644 --- a/app/controllers/message_controller.rb +++ b/app/controllers/message_controller.rb @@ -13,7 +13,7 @@ class MessageController < ApplicationController # clicks send. # The display_name param is the display name of the user that the message is being sent to. def new - if params[:message] + if request.post? if @user.sent_messages.where("sent_on >= ?", Time.now.getutc - 1.hour).count >= MAX_MESSAGES_PER_HOUR flash[:error] = t "message.new.limit_exceeded" else @@ -28,10 +28,10 @@ class MessageController < ApplicationController redirect_to :action => "inbox", :display_name => @user.display_name end end + else + @message ||= Message.new(message_params.merge(:recipient => @this_user)) + @title = t "message.new.title" end - - @message ||= Message.new(:recipient => @this_user) - @title = t "message.new.title" end # Allow the user to reply to another message. @@ -139,5 +139,7 @@ class MessageController < ApplicationController # return permitted message parameters def message_params params.require(:message).permit(:title, :body) + rescue ActionController::ParameterMissing + ActionController::Parameters.new.permit(:title, :body) end end