0
@@ -9,6 +9,7 @@ class Admin::ArticlesController < Admin::BaseController
0
   before_filter :check_for_new_draft,  :only => [:create, :update, :upload]
0
   
0
   before_filter :find_site_article, :only => [:edit, :update, :comments, :approve, :unapprove, :destroy, :attach, :detach]
0
+  before_filter :protect_action, :only => [:approve, :unapprove, :attach, :detach]
0
   before_filter :login_required, :except => :upload
0
   before_filter :load_sections, :only => [:new, :edit]
0
 

0
@@ -2,11 +2,24 @@ class Admin::BaseController < ApplicationController
0
   class_inheritable_reader :member_actions
0
   write_inheritable_attribute :member_actions, []
0
   include AuthenticatedSystem
0
+  before_filter :protect_action, :only => [:create, :update, :destroy]
0
   before_filter { |c| UserMailer.default_url_options[:host] = c.request.host_with_port }
0
   before_filter :login_from_cookie
0
   before_filter :login_required, :except => :feed
0
 
0
   protected
0
+    def protect_action
0
+      if request.get?
0
+        if params[:id]
0
+          redirect_to :action => 'show', :id => params[:id]
0
+        else
0
+          redirect_to :action => 'index'
0
+        end
0
+      else
0
+        true
0
+      end
0
+    end
0
+
0
     # standard authorization method.  allow logged in users that are admins, or members in certain actions
0
     def authorized?
0
       logged_in? && (admin? || member_actions.include?(action_name) || allow_member?)

0
@@ -1,5 +1,6 @@
0
 class Admin::CachedPagesController < Admin::BaseController
0
   before_filter { |c| raise ActionController::UnknownController unless c.class.perform_caching }
0
+  before_filter :protect_action, :only => :clear
0
 
0
   def index
0
     CachedPage.with_current_scope do

0
@@ -1,6 +1,7 @@
0
 class Admin::CommentsController < Admin::BaseController
0
 
0
   member_actions.push(*%w(index unapproved create edit update approve unapprove destroy close ))
0
+  before_filter :protect_action, :only => [:approve, :unapprove]
0
 
0
 private
0
 

0
@@ -3,6 +3,7 @@ class Admin::OverviewController < Admin::BaseController
0
   session :off, :only => :feed
0
   before_filter :basic_auth_required, :only => :feed
0
   caches_page :feed
0
+  before_filter :protect_action, :only => :delete
0
   
0
   helper Admin::ArticlesHelper
0
   

0
@@ -8,7 +8,7 @@ class Admin::ResourcesController < Admin::DesignController
0
   verify :method => :post, :params => :resource, :only => :upload,
0
          :add_flash   => { :error => 'Resource required' },
0
          :redirect_to => { :controller => 'design', :action => 'index' }
0
-  
0
+
0
   def index
0
     redirect_to :controller => 'design'
0
   end
0
@@ -26,6 +26,10 @@ class Admin::ResourcesController < Admin::DesignController
0
   end
0
 
0
   def upload
0
+    if request.get?
0
+      redirect_to :controller => 'design', :action => 'index'
0
+      return
0
+    end
0
     if params[:resource] && Asset.image?(params[:resource].content_type.strip) && (1..1.megabyte).include?(params[:resource].size)
0
       @resource = @theme.resources.write File.basename(params[:resource].original_filename), params[:resource].read
0
       flash[:notice] = "'#{@resource.basename}' was uploaded successfully."
0
@@ -36,6 +40,10 @@ class Admin::ResourcesController < Admin::DesignController
0
   end
0
   
0
   def remove
0
+    if request.get?
0
+      redirect_to :action => 'edit' 
0
+      return
0
+    end
0
     @resource = @theme.resources[params[:filename]]
0
     render :update do |page|
0
       @resource.unlink if @resource.file?

0
@@ -1,5 +1,6 @@
0
 class Admin::SectionsController < Admin::BaseController
0
   cache_sweeper :article_sweeper, :except => :index
0
+  before_filter :protect_action, :only => :order
0
   before_filter :find_and_sort_templates,   :only => [:index, :edit]
0
   before_filter :find_and_reorder_sections, :only => [:index, :edit]
0
   before_filter :find_section,              :only => [:destroy, :update]

0
@@ -23,6 +23,10 @@ class Admin::TemplatesController < Admin::DesignController
0
   end
0
 
0
   def remove
0
+    if request.get?
0
+      redirect_to :action => 'edit' 
0
+      return
0
+    end
0
     @tmpl = @theme.templates[params[:filename]]
0
     render :update do |page|
0
       if !@tmpl.file?

0
@@ -2,7 +2,7 @@ class Admin::ThemesController < Admin::BaseController
0
   @@theme_export_path   = RAILS_PATH + 'tmp/export'
0
   @@theme_content_types = %w(application/zip multipart/x-zip application/x-zip-compressed)
0
   cattr_accessor :theme_export_path, :theme_content_types
0
-  
0
+  before_filter :protect_action, :only => [:export, :change_to, :rollback, :import]
0
   before_filter :find_theme, :only => [:preview_for, :export, :change_to, :show, :destroy]
0
 
0
   def preview_for