Commit 6e546ff2 authored by Jonne Haß's avatar Jonne Haß

Trigger exports through a POST request

GET requests don't get any CSRF protection by Rails,
thus these sensitive actions should be better protected.

Thanks to @tomekr for the report.
parent 0a70e51f
......@@ -179,9 +179,9 @@
= link_to t('.download_export'), download_profile_user_path, class: "btn btn-success"
%h6
= t('.last_exported_at', timestamp: current_user.exported_at)
= link_to t('.request_export_update'), export_profile_user_path, class: "btn"
= link_to t(".request_export_update"), export_profile_user_path, method: :post, class: "btn"
- else
= link_to t('.request_export'), export_profile_user_path, :class => "btn"
= link_to t(".request_export"), export_profile_user_path, method: :post, class: "btn"
- if current_user.exporting_photos
.small-horizontal-spacer
......@@ -191,10 +191,10 @@
= link_to t('.download_export_photos'), download_photos_user_path, class: "btn btn-success"
%h6
= t('.last_exported_at', timestamp: current_user.exported_photos_at)
= link_to t('.request_export_photos_update'), export_photos_user_path, class: "btn"
= link_to t(".request_export_photos_update"), export_photos_user_path, method: :post, class: "btn"
- else
.small-horizontal-spacer
= link_to t('.request_export_photos'), export_photos_user_path, :class => "btn"
= link_to t(".request_export_photos"), export_photos_user_path, method: :post, class: "btn"
.span6
%h3
......
......@@ -101,9 +101,9 @@ Diaspora::Application.routes.draw do
resource :user, :only => [:edit, :update, :destroy], :shallow => true do
get :getting_started_completed
get :export_profile
post :export_profile
get :download_profile
get :export_photos
post :export_photos
get :download_photos
end
......
......@@ -14,7 +14,7 @@ describe UsersController, :type => :controller do
describe '#export_profile' do
it 'queues an export job' do
expect(@user).to receive :queue_export
get :export_profile
post :export_profile
expect(request.flash[:notice]).to eql(I18n.t('users.edit.export_in_progress'))
expect(response).to redirect_to(edit_user_path)
end
......@@ -31,7 +31,7 @@ describe UsersController, :type => :controller do
describe '#export_photos' do
it 'queues an export photos job' do
expect(@user).to receive :queue_export_photos
get :export_photos
post :export_photos
expect(request.flash[:notice]).to eql(I18n.t('users.edit.export_photos_in_progress'))
expect(response).to redirect_to(edit_user_path)
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment