From c49e400aa36d116ded8188240961d1e88b172ccd Mon Sep 17 00:00:00 2001 From: mmd-osm Date: Tue, 9 Feb 2021 19:46:17 +0100 Subject: [PATCH] Prevent CSRF bypass unblocking users --- app/controllers/user_blocks_controller.rb | 2 +- test/controllers/user_blocks_controller_test.rb | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/app/controllers/user_blocks_controller.rb b/app/controllers/user_blocks_controller.rb index 058c442d5..63fca6557 100644 --- a/app/controllers/user_blocks_controller.rb +++ b/app/controllers/user_blocks_controller.rb @@ -79,7 +79,7 @@ class UserBlocksController < ApplicationController ## # revokes the block, setting the end_time to now def revoke - if params[:confirm] && @user_block.revoke!(current_user) + if request.post? && params[:confirm] && @user_block.revoke!(current_user) flash[:notice] = t ".flash" redirect_to(@user_block) end diff --git a/test/controllers/user_blocks_controller_test.rb b/test/controllers/user_blocks_controller_test.rb index d5db89615..3e2be801d 100644 --- a/test/controllers/user_blocks_controller_test.rb +++ b/test/controllers/user_blocks_controller_test.rb @@ -351,7 +351,14 @@ class UserBlocksControllerTest < ActionDispatch::IntegrationTest assert_select "input[type='submit'][value='Revoke!']", :count => 1 end - # Check that revoking a block works + # Check that revoking a block using GET should fail + get revoke_user_block_path(:id => active_block, :confirm => true) + assert_response :success + assert_template "revoke" + b = UserBlock.find(active_block.id) + assert b.ends_at - Time.now > 100 + + # Check that revoking a block works using POST post revoke_user_block_path(:id => active_block, :confirm => true) assert_redirected_to user_block_path(active_block) b = UserBlock.find(active_block.id) -- 2.39.5