From 8239d6bb80742cf4ca260419a81da48d9f78b038 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emilio=20A=2E=20S=C3=A1nchez=20L=C3=B3pez?=
 <esanchez@yaco.es>
Date: Tue, 26 Apr 2011 14:28:10 +0000
Subject: [PATCH] Do not allow cancel submissions with GET requests. See #650 
 - Legacy-Id: 3061

---
 ietf/submit/views.py                    |  4 +++-
 ietf/templates/submit/draft_status.html | 12 +++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ietf/submit/views.py b/ietf/submit/views.py
index c463b0e57..beb83a918 100644
--- a/ietf/submit/views.py
+++ b/ietf/submit/views.py
@@ -2,7 +2,7 @@
 from django.conf import settings
 from django.core.urlresolvers import reverse
 from django.contrib.sites.models import Site
-from django.http import HttpResponseRedirect, Http404, HttpResponseForbidden
+from django.http import HttpResponseRedirect, Http404, HttpResponseForbidden, HttpResponseNotAllowed
 from django.shortcuts import get_object_or_404
 from django.shortcuts import render_to_response
 from django.template import RequestContext
@@ -167,6 +167,8 @@ def draft_status(request, submission_id, submission_hash=None, message=None):
 
 
 def draft_cancel(request, submission_id, submission_hash=None):
+    if request.method!='POST':
+        return HttpResponseNotAllowed(['POST'])
     detail = get_object_or_404(IdSubmissionDetail, submission_id=submission_id)
     can_cancel = _can_cancel(request.user, detail, submission_hash)
     if not can_cancel:
diff --git a/ietf/templates/submit/draft_status.html b/ietf/templates/submit/draft_status.html
index f90af04c6..011402f4e 100644
--- a/ietf/templates/submit/draft_status.html
+++ b/ietf/templates/submit/draft_status.html
@@ -24,12 +24,8 @@ pre.twopages { margin: 0px; }
 {% if can_cancel %}
 <script type="text/javascript">
 function confirmCancelation(){
-  {% if is_valid %}if (confirm("Cancel this submission?")){% endif %}
-    {% if submission_hash %}
-    document.location = "{% url draft_cancel_by_hash detail.submission_id submission_hash %}";
-    {% else %}
-    document.location = "{% url draft_cancel detail.submission_id %}";
-    {% endif %}
+  {% if is_valid %}if (!confirm("Cancel this submission?")) return false;{% endif %}
+  return true;
 }
 </script>
 {% endif %}
@@ -198,7 +194,9 @@ returned to the submitter.
 {% if can_cancel %}
   <h2>Cancel submission</h2>
   <p>
-    <input type="button" onclick="confirmCancelation();" value="Cancel Submission" /><br>
+    <form method="post" onsubmit="return confirmCancelation();" action="{% url draft_cancel_by_hash detail.submission_id submission_hash %}">
+      <input type="submit" value="Cancel Submission" /><br>
+    </form>
      This submission will be canceled, and its uploaded document(s) permanently deleted.
   </p>
 {% endif %}