From 37364f07cbecb309afebe674a68ba64fc56aa1ae Mon Sep 17 00:00:00 2001
From: Simon Brandhof <simon.brandhof@gmail.com>
Date: Fri, 30 Aug 2013 15:26:36 +0200
Subject: [PATCH] Do not accept GET /account/update_notifications

Must be a POST request
---
 .../WEB-INF/app/controllers/account_controller.rb |  3 ++-
 .../WEB-INF/app/views/account/index.html.erb      | 15 +++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/account_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/account_controller.rb
index 55d3fedabc2..0789c90b35d 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/account_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/account_controller.rb
@@ -41,7 +41,7 @@ class AccountController < ApplicationController
   end
 
   def change_password
-    return unless request.post?
+    verify_post_request
     if User.authenticate(current_user.login, params[:old_password], servlet_request)
       if ((params[:password] == params[:password_confirmation]))
         current_user.password = params[:password]
@@ -62,6 +62,7 @@ class AccountController < ApplicationController
   end
 
   def update_notifications
+    verify_post_request
     # Global notifs
     global_notifs = params[:global_notifs]
     Property.delete_all(['prop_key like ? AND user_id = ? AND resource_id IS NULL', 'notification.%', current_user.id])
diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/account/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/account/index.html.erb
index 0b62c6bd5ca..02a1ec0e0b8 100644
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/account/index.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/account/index.html.erb
@@ -33,8 +33,8 @@
   <% if User.editable_password? %>
     <div class="admin marginbottom10">
       <h2><%= message('my_profile.password.title') -%></h2>
-      
-      <% form_tag({:action => 'change_password'}, :id => 'pass_form_tag', :name => 'pass_form_tag') do -%>
+
+      <form id="pass_form_tag" name="pass_form_tag" method="post" action="<%= ApplicationController.root_context -%>/account/change_password">
         <table class="form">
           <tr>
             <td class="keyCell"><label for="old_password"><%= message('my_profile.password.old') -%>:</label></td>
@@ -53,9 +53,9 @@
             <td><%= submit_tag message('my_profile.password.submit') %></td>
           </tr>
         </table>
-      <% end %>
+      </form>
 
-      <script type="text/javascript">
+      <script>
         //<![CDATA[
         $('pass_form_tag').focusFirstElement();
         //]]>
@@ -64,8 +64,7 @@
   <% end -%>
 
   <div class="admin marginbottom10">
-    <% form_tag({:action => 'update_notifications'}, {:method => 'post', :id => 'notif_form'}) do %>
-    
+    <form id="notif_form" method="post" action="<%= ApplicationController.root_context -%>/account/update_notifications">
       <% unless @global_dispatchers.empty? -%>
         <%= render "account/global_notifications" -%>
         <br/><br/>
@@ -76,8 +75,8 @@
       <% end %>
       
       <br/><br/>
-      <%= submit_tag message('my_profile.notifications.submit') %>
-    <% end %>
+      <input type="submit" value="<%= message('my_profile.notifications.submit') -%>" name="commit">
+    </form>
   </div>
   
 </div>
-- 
2.39.5