Batch modify should require POST method

[Jun Omae]

Batch modify doesn't check whether HTTP method is POST. We should require POST.

trac/ticket/batch.py

@@ -28 +28 @@
 from trac.util.datefmt import datetime_now, utc
 from trac.util.text import exception_to_unicode, to_unicode
 from trac.util.translation import _, tag_
-from trac.web.api import IRequestFilter, IRequestHandler
+from trac.web.api import IRequestFilter, IRequestHandler, HTTPBadRequest
 from trac.web.chrome import add_warning, add_script_data
 
 
@@ -53 +53 @@
         return req.path_info == '/batchmodify'
 
     def process_request(self, req):
+        if req.method != 'POST':
+            raise HTTPBadRequest(_("Invalid request arguments."))
         req.perm.assert_permission('TICKET_BATCH_MODIFY')
 
         comment = req.args.get('batchmod_value_comment', '')

trac/ticket/tests/batch.py

@@ -23 +23 @@
 from trac.ticket.batch import BatchModifyModule
 from trac.ticket.model import Ticket
 from trac.util.datefmt import datetime_now, utc
+from trac.web.api import HTTPBadRequest, RequestDone
 from trac.web.chrome import web_context
 
 
@@ -106 +107 @@
         selected_tickets = batch._get_selected_tickets(self.req)
         self.assertEqual(selected_tickets, [])
 
+    def test_require_post_method(self):
+        batch = BatchModifyModule(self.env)
+        req = MockRequest(self.env, method='GET', path_info='/batchmodify')
+        self.assertTrue(batch.match_request(req))
+        self.assertRaises(HTTPBadRequest, batch.process_request, req)
+        req = MockRequest(self.env, method='POST', path_info='/batchmodify',
+                          args={'selected_tickets': ''})
+        self.assertTrue(batch.match_request(req))
+        self.assertRaises(RequestDone, batch.process_request, req)
+
     # Assign list items
 
     def test_change_list_replace_empty_with_single(self):

[Jun Omae]

Committed in [15160] and merged in [15161-15162].