SECURITY: Convert send_digest to a post request (#19746)

Co-authored-by: Isaac Janzen <isaac.janzen@discourse.org>
2023-01-05 06:57:12 +08:00 · 2023-01-05 06:57:12 +08:00 · cf862e7365
parent c2013865d7
commit cf862e7365
3 changed files with 15 additions and 1 deletions
--- a/app/assets/javascripts/admin/addon/models/email-preview.js
+++ b/app/assets/javascripts/admin/addon/models/email-preview.js
@ -16,6 +16,7 @@ EmailPreview.reopenClass({

  sendDigest(username, lastSeenAt, email) {
    return ajax("/admin/email/send-digest.json", {
+      type: "POST",
      data: { last_seen_at: lastSeenAt || oneWeekAgo(), username, email },
    });
  },
--- a/config/routes.rb
+++ b/config/routes.rb
@ -177,7 +177,7 @@ Discourse::Application.routes.draw do
          get "/incoming/:id" => "email#incoming"
          get "/incoming_from_bounced/:id" => "email#incoming_from_bounced"
          get "preview-digest" => "email#preview_digest"
-          get "send-digest" => "email#send_digest"
+          post "send-digest" => "email#send_digest"
          get "smtp_should_reject"
          post "handle_mail"
          get "advanced-test"
--- a/spec/requests/admin/email_controller_spec.rb
+++ b/spec/requests/admin/email_controller_spec.rb
@ -337,6 +337,19 @@ RSpec.describe Admin::EmailController do
    end
  end

+  describe '#send_digest' do
+    context "when logged in as an admin" do
+      before { sign_in(admin) }
+
+      it "sends the digest" do
+        post "/admin/email/send-digest.json", params: {
+          last_seen_at: 1.week.ago, username: admin.username, email: email('previous_replies')
+        }
+        expect(response.status).to eq(200)
+      end
+    end
+  end
+
  describe '#handle_mail' do
    context "when logged in as an admin" do
      before { sign_in(admin) }