manager: switch page reordering request to POST (#65617)

combo/manager/static/js/combo.manager.js

@@ -177,6 +177,7 @@ function init_pages_list(toggle_state)
 
        $.ajax({
            url: $('#pages-list').data('page-order-url'),
+           type: 'POST',
            data: {'new-order': new_order,
                   'moved-page-id': moved_page_id,
                   'moved-page-new-parent': new_parent

combo/manager/views.py

@@ -26,7 +26,14 @@ from django.conf import settings
 from django.contrib import messages
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
 from django.db import transaction
-from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect, JsonResponse
+from django.http import (
+    Http404,
+    HttpResponse,
+    HttpResponseBadRequest,
+    HttpResponseNotAllowed,
+    HttpResponseRedirect,
+    JsonResponse,
+)
 from django.shortcuts import get_object_or_404, redirect, render
 from django.template import engines
 from django.urls import reverse, reverse_lazy
@@ -34,7 +41,7 @@ from django.utils.encoding import force_bytes, force_text
 from django.utils.formats import date_format
 from django.utils.timezone import localtime
 from django.utils.translation import ugettext_lazy as _
-from django.views.decorators.csrf import requires_csrf_token
+from django.views.decorators.csrf import csrf_exempt, requires_csrf_token
 from django.views.generic import (
     CreateView,
     DeleteView,
@@ -853,17 +860,20 @@ class PageCellOrder(ManagedPageMixin, View):
 cell_order = PageCellOrder.as_view()
 
 
+@csrf_exempt
 @staff_required
 def page_order(request):
+    if request.method != 'POST':
+        return HttpResponseNotAllowed(['post'])
     params = ['new-order', 'moved-page-id', 'moved-page-new-parent']
     for param in params:
-        if param not in request.GET:
+        if param not in request.POST:
             return HttpResponseBadRequest('missing %s parameter' % param)
-    new_order = [int(x) for x in request.GET['new-order'].split(',')]
-    moved_page = Page.objects.get(id=request.GET['moved-page-id'])
-    if request.GET['moved-page-new-parent']:
+    new_order = [int(x) for x in request.POST['new-order'].split(',')]
+    moved_page = Page.objects.get(id=request.POST['moved-page-id'])
+    if request.POST['moved-page-new-parent']:
         # recreate full hierarchy to avoid cycles
-        current_hierarchy = Page.objects.get(id=request.GET['moved-page-new-parent']).get_parents_and_self()
+        current_hierarchy = Page.objects.get(id=request.POST['moved-page-new-parent']).get_parents_and_self()
         new_hierarchy = [x for x in current_hierarchy if not x.id == moved_page.id] + [moved_page]
         for i, page in enumerate(new_hierarchy):
             old_parent_id = page.parent_id
@@ -891,7 +901,7 @@ def page_order(request):
 
     if slug_conflict:
         # slug conflict after a page got moved, reload and rename
-        moved_page = Page.objects.get(id=request.GET['moved-page-id'])
+        moved_page = Page.objects.get(id=request.POST['moved-page-id'])
         moved_page.slug = moved_page.slug + '-' + hashlib.md5(force_bytes(moved_page.id)).hexdigest()[:4]
         moved_page.save()
     return redirect(reverse('combo-manager-homepage'))

tests/test_manager.py

@@ -771,8 +771,11 @@ def test_page_reorder(app, admin_user):
     ordered_ids = [x.id for x in Page.get_as_reordered_flat_hierarchy(Page.objects.all())]
     assert ordered_ids == [page1.id, page2.id, page3.id, page4.id]
 
-    # missing get params
-    app.get(
+    # invalid method
+    app.get('/manage/pages/order', status=405)
+
+    # missing params
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-new-parent': 42,
@@ -780,7 +783,7 @@ def test_page_reorder(app, admin_user):
         },
         status=400,
     )
-    app.get(
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-id': 42,
@@ -788,7 +791,7 @@ def test_page_reorder(app, admin_user):
         },
         status=400,
     )
-    app.get(
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-id': 42,
@@ -798,7 +801,7 @@ def test_page_reorder(app, admin_user):
     )
 
     # missing page3 in order
-    app.get(
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-id': page4.id,
@@ -811,7 +814,7 @@ def test_page_reorder(app, admin_user):
     assert ordered_ids == [page1.id, page2.id, page3.id, page4.id]
 
     # move page4 before page3
-    app.get(
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-id': page4.id,
@@ -824,7 +827,7 @@ def test_page_reorder(app, admin_user):
     assert ordered_ids == [page1.id, page2.id, page4.id, page3.id]
 
     # move page4 to level0
-    app.get(
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-id': page4.id,
@@ -839,7 +842,7 @@ def test_page_reorder(app, admin_user):
     page4.slug = 'three'
     page4.save()
     # move it as a sibling of page3
-    app.get(
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-id': page4.id,
@@ -857,7 +860,7 @@ def test_page_reorder(app, admin_user):
     page2.save()
     page3.parent = page2
     page3.save()
-    app.get(
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-id': page1.id,
@@ -876,7 +879,7 @@ def test_page_reorder(app, admin_user):
     page3.save()
     page4.parent = page3
     page4.save()
-    app.get(
+    app.post(
         '/manage/pages/order',
         params={
             'moved-page-id': page2.id,