Trigger exports through a POST request

GET requests don't get any CSRF protection by Rails, thus these sensitive actions should be better protected. Thanks to @tomekr for the report.

Trigger exports through a POST request
6e546ff2 · Jonne Haß · 0a70e51f · 6e546ff2 · 6e546ff2 · 6e546ff2
--- a/app/views/users/edit.html.haml
+++ b/app/views/users/edit.html.haml
@@ -179,9 +179,9 @@
            = link_to t('.download_export'), download_profile_user_path, class: "btn btn-success"
            %h6
              = t('.last_exported_at', timestamp: current_user.exported_at)
-            = link_to t('.request_export_update'), export_profile_user_path, class: "btn"
+            = link_to t(".request_export_update"), export_profile_user_path, method: :post, class: "btn"
          - else
-            = link_to t('.request_export'), export_profile_user_path, :class => "btn"
+            = link_to t(".request_export"), export_profile_user_path, method: :post, class: "btn"

          - if current_user.exporting_photos
            .small-horizontal-spacer
@@ -191,10 +191,10 @@
            = link_to t('.download_export_photos'), download_photos_user_path, class: "btn  btn-success"
            %h6
              = t('.last_exported_at', timestamp: current_user.exported_photos_at)
-            = link_to t('.request_export_photos_update'), export_photos_user_path, class: "btn"
+            = link_to t(".request_export_photos_update"), export_photos_user_path, method: :post, class: "btn"
          - else
            .small-horizontal-spacer
-            = link_to t('.request_export_photos'), export_photos_user_path, :class => "btn"
+            = link_to t(".request_export_photos"), export_photos_user_path, method: :post, class: "btn"

        .span6
          %h3

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -101,9 +101,9 @@ Diaspora::Application.routes.draw do

  resource :user, :only => [:edit, :update, :destroy], :shallow => true do
    get :getting_started_completed
-    get :export_profile
+    post :export_profile
    get :download_profile
-    get :export_photos
+    post :export_photos
    get :download_photos
  end


--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -14,7 +14,7 @@ describe UsersController, :type => :controller do
  describe '#export_profile' do
    it 'queues an export job' do
      expect(@user).to receive :queue_export
-      get :export_profile
+      post :export_profile
      expect(request.flash[:notice]).to eql(I18n.t('users.edit.export_in_progress'))
      expect(response).to redirect_to(edit_user_path)
    end
@@ -31,7 +31,7 @@ describe UsersController, :type => :controller do
  describe '#export_photos' do
    it 'queues an export photos job' do
      expect(@user).to receive :queue_export_photos
-      get :export_photos
+      post :export_photos
      expect(request.flash[:notice]).to eql(I18n.t('users.edit.export_photos_in_progress'))
      expect(response).to redirect_to(edit_user_path)
    end