SECURITY: Convert send_digest to a post request (#19746)

Co-authored-by: Isaac Janzen <isaac.janzen@discourse.org>

app/assets/javascripts/admin/addon/models/email-preview.js

@@ -16,6 +16,7 @@ EmailPreview.reopenClass({
 
   sendDigest(username, lastSeenAt, email) {
     return ajax("/admin/email/send-digest.json", {
+      type: "POST",
       data: { last_seen_at: lastSeenAt || oneWeekAgo(), username, email },
     });
   },

config/routes.rb

@@ -177,7 +177,7 @@ Discourse::Application.routes.draw do
           get "/incoming/:id" => "email#incoming"
           get "/incoming_from_bounced/:id" => "email#incoming_from_bounced"
           get "preview-digest" => "email#preview_digest"
-          get "send-digest" => "email#send_digest"
+          post "send-digest" => "email#send_digest"
           get "smtp_should_reject"
           post "handle_mail"
           get "advanced-test"

spec/requests/admin/email_controller_spec.rb

@@ -337,6 +337,19 @@ RSpec.describe Admin::EmailController do
     end
   end
 
+  describe '#send_digest' do
+    context "when logged in as an admin" do
+      before { sign_in(admin) }
+
+      it "sends the digest" do
+        post "/admin/email/send-digest.json", params: {
+          last_seen_at: 1.week.ago, username: admin.username, email: email('previous_replies')
+        }
+        expect(response.status).to eq(200)
+      end
+    end
+  end
+
   describe '#handle_mail' do
     context "when logged in as an admin" do
       before { sign_in(admin) }