From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Thu, 6 Jan 2011 20:46:22 +0000 (+0000)
Subject: Verify HTTP method on ProjectsController#create.
X-Git-Tag: 1.2.0~1127
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=072c4ad14cf0649545ceab6261558a32c234e720;p=redmine.git

Verify HTTP method on ProjectsController#create.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4646 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 1dffedc0e..6557af3e4 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -32,9 +32,6 @@ class ProjectsController < ApplicationController
     end
   end
 
-  # TODO: convert to PUT only
-  verify :method => [:post, :put], :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
-
   helper :sort
   include SortHelper
   helper :custom_fields
@@ -71,6 +68,7 @@ class ProjectsController < ApplicationController
     @project = Project.new(params[:project])
   end
 
+  verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
   def create
     @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
     @trackers = Tracker.all
@@ -183,6 +181,8 @@ class ProjectsController < ApplicationController
   def edit
   end
 
+  # TODO: convert to PUT only
+  verify :method => [:post, :put], :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
   def update
     @project.safe_attributes = params[:project]
     if validate_parent_id && @project.save
diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb
index d3a12f290..0b77daa50 100644
--- a/test/functional/projects_controller_test.rb
+++ b/test/functional/projects_controller_test.rb
@@ -288,6 +288,17 @@ class ProjectsControllerTest < ActionController::TestCase
     end
   end
   
+  context "GET :create" do
+    setup do
+      @request.session[:user_id] = 1
+    end
+    
+    should "not be allowed" do
+      get :create
+      assert_response :method_not_allowed
+    end
+  end
+  
   def test_show_by_id
     get :show, :id => 1
     assert_response :success