monitoring: Restrict delete downtime and delete comment to HTTP POST

2015-01-22 15:49:40 +01:00 · 2015-01-22 15:49:40 +01:00 · ba7818db5f
parent 0f13c0428c
commit ba7818db5f
1 changed files with 2 additions and 12 deletions
--- a/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
+++ b/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController.php
@ -143,12 +143,7 @@ abstract class MonitoredObjectController extends Controller
     */
    public function removeCommentAction()
    {
-        /*
-         * TODO(el): This is here because monitoring/list/comments has buttons to remove comments. Because of the nature
-         * of an action, the form is accessible via GET which does not make much sense because the form requires
-         * us to populate the ID of the comment which is to be deleted. We may introduce a combo box for choosing
-         * the comment ID on GET or deny GET access.
-         */
+        $this->assertHttpMethod('POST');
        $this->handleCommandForm(new DeleteCommentCommandForm());
    }

@ -157,12 +152,7 @@ abstract class MonitoredObjectController extends Controller
     */
    public function deleteDowntimeAction()
    {
-        /*
-         * TODO(el): This is here because monitoring/list/downtimes has buttons to remove comments. Because of the
-         * nature of an action, the form is accessible via GET which does not make much sense because the form requires
-         * us to populate the ID of the downtime which is to be deleted. We may introduce a combo box for choosing
-         * the downtime ID on GET or deny GET access.
-         */
+        $this->assertHttpMethod('POST');
        $this->handleCommandForm(new DeleteDowntimeCommandForm());
    }