[#7942] require post for removing a custom group
diff --git a/Allura/allura/ext/admin/admin_main.py b/Allura/allura/ext/admin/admin_main.py
index 5bde57c..ec61edb 100644
--- a/Allura/allura/ext/admin/admin_main.py
+++ b/Allura/allura/ext/admin/admin_main.py
@@ -1036,6 +1036,7 @@
@without_trailing_slash
@expose()
+ @require_post()
@h.vardec
def delete_group(self, group_name, **kw):
role = M.ProjectRole.by_name(group_name)
diff --git a/Allura/allura/public/nf/js/project_groups.js b/Allura/allura/public/nf/js/project_groups.js
index a4c9ab9..99ecd12 100644
--- a/Allura/allura/public/nf/js/project_groups.js
+++ b/Allura/allura/public/nf/js/project_groups.js
@@ -43,8 +43,10 @@
$('a.delete_group').click(function(evt){
evt.preventDefault();
var link = this;
- if(confirm("Are you sure you want to remove the group? All users and groups in the group will lose its permissions.")){
- $.get(link.href, function (data) {
+ var csrf = $.cookie('_session_id');
+ var data = {_session_id: csrf};
+ if(confirm("Are you sure you want to remove the group? All users and groups in the group will lose their permissions.")){
+ $.post(link.href, data, function(resp) {
$(link).closest('tr').hide('fast');
});
}
