Skip to content

Commit cf862e7

Browse files
SECURITY: Convert send_digest to a post request (#19746)
Co-authored-by: Isaac Janzen <isaac.janzen@discourse.org>
1 parent c201386 commit cf862e7

File tree

3 files changed

+15
-1
lines changed

3 files changed

+15
-1
lines changed

Diff for: app/assets/javascripts/admin/addon/models/email-preview.js

+1
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ EmailPreview.reopenClass({
1616

1717
sendDigest(username, lastSeenAt, email) {
1818
return ajax("/admin/email/send-digest.json", {
19+
type: "POST",
1920
data: { last_seen_at: lastSeenAt || oneWeekAgo(), username, email },
2021
});
2122
},

Diff for: config/routes.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -177,7 +177,7 @@ def patch(*) end # Disable PATCH requests
177177
get "/incoming/:id" => "email#incoming"
178178
get "/incoming_from_bounced/:id" => "email#incoming_from_bounced"
179179
get "preview-digest" => "email#preview_digest"
180-
get "send-digest" => "email#send_digest"
180+
post "send-digest" => "email#send_digest"
181181
get "smtp_should_reject"
182182
post "handle_mail"
183183
get "advanced-test"

Diff for: spec/requests/admin/email_controller_spec.rb

+13
Original file line numberDiff line numberDiff line change
@@ -337,6 +337,19 @@
337337
end
338338
end
339339

340+
describe '#send_digest' do
341+
context "when logged in as an admin" do
342+
before { sign_in(admin) }
343+
344+
it "sends the digest" do
345+
post "/admin/email/send-digest.json", params: {
346+
last_seen_at: 1.week.ago, username: admin.username, email: email('previous_replies')
347+
}
348+
expect(response.status).to eq(200)
349+
end
350+
end
351+
end
352+
340353
describe '#handle_mail' do
341354
context "when logged in as an admin" do
342355
before { sign_in(admin) }

0 commit comments

Comments
 (0)