From af6c715a5be47808ecf735a4ae468b7598df16c9 Mon Sep 17 00:00:00 2001
From: Lars Jung <lrsjng@gmail.com>
Date: Fri, 1 May 2015 16:16:31 +0200
Subject: [PATCH] Switch API to react to POST only.

---
 src/_h5ai/server/php/inc/class-api.php       |  6 +-----
 src/_h5ai/server/php/inc/class-bootstrap.php |  2 +-
 src/_h5ai/server/php/inc/class-util.php      | 16 +++++++++++-----
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/_h5ai/server/php/inc/class-api.php b/src/_h5ai/server/php/inc/class-api.php
index 6eae03f3..a2512ed1 100644
--- a/src/_h5ai/server/php/inc/class-api.php
+++ b/src/_h5ai/server/php/inc/class-api.php
@@ -16,7 +16,7 @@ class Api {
     public function apply() {
 
         $action = Util::use_request_param("action");
-        Util::json_fail(100, "unsupported request", !in_array($action, $this->actions));
+        Util::json_fail(101, "unsupported action", !in_array($action, $this->actions));
 
         $methodname = "on_${action}";
         $this->$methodname();
@@ -102,10 +102,6 @@ class Api {
             $response["all_items"] = $this->app->get_all_items();
         }
 
-        if (AS_ADMIN && count($_REQUEST)) {
-            $response["unused"] = $_REQUEST;
-        }
-
         Util::json_exit($response);
     }
 
diff --git a/src/_h5ai/server/php/inc/class-bootstrap.php b/src/_h5ai/server/php/inc/class-bootstrap.php
index 1c246ddf..582b2cc8 100644
--- a/src/_h5ai/server/php/inc/class-bootstrap.php
+++ b/src/_h5ai/server/php/inc/class-bootstrap.php
@@ -7,7 +7,7 @@ class Bootstrap {
         Bootstrap::setup();
 
         $app = new App();
-        if (Util::has_request_param("action")) {
+        if (Util::is_post_request()) {
             $api = new Api($app);
             $api->apply();
         } else {
diff --git a/src/_h5ai/server/php/inc/class-util.php b/src/_h5ai/server/php/inc/class-util.php
index 8e523dfd..ce84898d 100644
--- a/src/_h5ai/server/php/inc/class-util.php
+++ b/src/_h5ai/server/php/inc/class-util.php
@@ -29,21 +29,27 @@ class Util {
     }
 
 
+    public static function is_post_request() {
+
+        return (strtolower($_SERVER['REQUEST_METHOD']) === 'post');
+    }
+
+
     public static function has_request_param($key) {
 
-        return array_key_exists($key, $_REQUEST);
+        return array_key_exists($key, $_POST);
     }
 
 
     public static function use_request_param($key, $default = null) {
 
-        if (!array_key_exists($key, $_REQUEST)) {
-            Util::json_fail(101, "parameter '$key' is missing", $default === null);
+        if (!array_key_exists($key, $_POST)) {
+            Util::json_fail(100, "parameter '$key' is missing", $default === null);
             return $default;
         }
 
-        $value = $_REQUEST[$key];
-        unset($_REQUEST[$key]);
+        $value = $_POST[$key];
+        unset($_POST[$key]);
         return $value;
     }