From 37364f07cbecb309afebe674a68ba64fc56aa1ae Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Fri, 30 Aug 2013 15:26:36 +0200 Subject: [PATCH] Do not accept GET /account/update_notifications Must be a POST request --- .../WEB-INF/app/controllers/account_controller.rb | 3 ++- .../WEB-INF/app/views/account/index.html.erb | 15 +++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/account_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/account_controller.rb index 55d3fedabc2..0789c90b35d 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/account_controller.rb +++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/account_controller.rb @@ -41,7 +41,7 @@ class AccountController < ApplicationController end def change_password - return unless request.post? + verify_post_request if User.authenticate(current_user.login, params[:old_password], servlet_request) if ((params[:password] == params[:password_confirmation])) current_user.password = params[:password] @@ -62,6 +62,7 @@ class AccountController < ApplicationController end def update_notifications + verify_post_request # Global notifs global_notifs = params[:global_notifs] Property.delete_all(['prop_key like ? AND user_id = ? AND resource_id IS NULL', 'notification.%', current_user.id]) diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/account/index.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/account/index.html.erb index 0b62c6bd5ca..02a1ec0e0b8 100644 --- a/sonar-server/src/main/webapp/WEB-INF/app/views/account/index.html.erb +++ b/sonar-server/src/main/webapp/WEB-INF/app/views/account/index.html.erb @@ -33,8 +33,8 @@ <% if User.editable_password? %>

<%= message('my_profile.password.title') -%>

- - <% form_tag({:action => 'change_password'}, :id => 'pass_form_tag', :name => 'pass_form_tag') do -%> + +
@@ -53,9 +53,9 @@
<%= submit_tag message('my_profile.password.submit') %>
- <% end %> +
-