From 5a4503227ff33c7da347cfc5a6352532fb02499e Mon Sep 17 00:00:00 2001
From: Sean Griffin <sean@seantheprogrammer.com>
Date: Fri, 7 Sep 2018 13:26:32 -0600
Subject: [PATCH] Only use session tokens for auth for `GET` requests

Since we do not have any form of CSRF protection in place, we should not
be allowing session tokens to be used for non-get requests. We don't
currently have any CSRF vulnerabilities, as there are no `POST` requests
in our router today.

In the event that one does get added in the future, this will prevent
a CSRF vulnerability from appearing, without us having to remember this
detail in the future. It will also force us to properly add some form of
protection if we want to accept a POST request sent by an HTML form in
the future.
---
 src/middleware/current_user.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/middleware/current_user.rs b/src/middleware/current_user.rs
index 14028bb076b..42b9f7dd957 100644
--- a/src/middleware/current_user.rs
+++ b/src/middleware/current_user.rs
@@ -1,5 +1,6 @@
 use super::prelude::*;
 
+use conduit::Method;
 use conduit_cookie::RequestSession;
 use diesel::prelude::*;
 
@@ -29,7 +30,7 @@ impl Middleware for CurrentUser {
 
         let conn = req.db_conn().map_err(std_error)?;
 
-        if let Some(id) = id {
+        if let (Some(id), Method::Get) = (id, req.method()) {
             // If it did, look for a user in the database with the given `user_id`
             let maybe_user = users::table.find(id).first::<User>(&*conn);
             if let Ok(user) = maybe_user {