Contacts|Contactgroups endpoints: Only allow filter on GET method

application/controllers/ApiV1ContactgroupsController.php

@@ -60,8 +60,13 @@ public function indexAction(): void
             $this->httpBadRequest('The given identifier is not a valid UUID');
         }
 
+        $filterStr = rawurldecode(Url::fromRequest()->getQueryString());
+        if ($method !== 'GET' && $filterStr) {
+            $this->httpBadRequest('Filter is only allowed for GET requests');
+        }
+
         $filter = FilterProcessor::assembleFilter(
-            QueryString::fromString(rawurldecode(Url::fromRequest()->getQueryString()))
+            QueryString::fromString($filterStr)
                 ->on(
                     QueryString::ON_CONDITION,
                     function (Filter\Condition $condition) {

application/controllers/ApiV1ContactsController.php

@@ -65,8 +65,13 @@ public function indexAction(): void
             $this->httpBadRequest('The given identifier is not a valid UUID');
         }
 
+        $filterStr = rawurldecode(Url::fromRequest()->getQueryString());
+        if ($method !== 'GET' && $filterStr) {
+            $this->httpBadRequest('Filter is only allowed for GET requests');
+        }
+
         $filter = FilterProcessor::assembleFilter(
-            QueryString::fromString(rawurldecode(Url::fromRequest()->getQueryString()))
+            QueryString::fromString($filterStr)
                 ->on(
                     QueryString::ON_CONDITION,
                     function (Filter\Condition $condition) {
@@ -164,10 +169,6 @@ function (Filter\Condition $condition) {
 
                 exit;
             case 'POST':
-                if ($filter !== null) {
-                    $this->httpBadRequest('Cannot filter on POST');
-                }
-
                 $data = $this->getValidatedData();
 
                 $db->beginTransaction();