Skip to content

Require POST for file web mutations#82

Merged
ralyodio merged 1 commit into
profullstack:mainfrom
lustsazeus-lab:codex/post-only-file-web-mutations
Jul 7, 2026
Merged

Require POST for file web mutations#82
ralyodio merged 1 commit into
profullstack:mainfrom
lustsazeus-lab:codex/post-only-file-web-mutations

Conversation

@lustsazeus-lab

Copy link
Copy Markdown
Contributor

Summary

  • Require POST for the browser file manager's /upload, /mkdir, and /delete mutation endpoints.
  • Return 405 Method Not Allowed with Allow: POST for non-POST mutation requests.
  • Add a regression test that proves authenticated GET requests cannot upload, create folders, or delete files.

Fixes #81.

Root Cause

The handlers for file-manager mutations resolved the logged-in session and read form/query values without first checking the HTTP method. That allowed an authenticated GET such as /delete?path=/me/keep.txt to execute the delete path and redirect.

Validation

  • go test ./internal/files -run TestWebMutationsRejectGet -count=1
  • go test ./...
  • go build ./...
  • go vet ./...

@ralyodio ralyodio merged commit ff9eef9 into profullstack:main Jul 7, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

File web mutation endpoints accept GET requests

2 participants