From c83a7c91d16352bd449998b3a1e42f748e9c37dc Mon Sep 17 00:00:00 2001
From: Alan Guo Xiang Tan <gxtan1990@gmail.com>
Date: Thu, 5 Jan 2023 08:51:39 +0800
Subject: [PATCH] SECURITY: Convert send_digest to a post request (#19748)

Co-authored-by: Isaac Janzen <isaac.janzen@discourse.org>
---
 .../javascripts/admin/addon/models/email-preview.js |  1 +
 config/routes.rb                                    |  2 +-
 spec/requests/admin/email_controller_spec.rb        | 13 +++++++++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/admin/addon/models/email-preview.js b/app/assets/javascripts/admin/addon/models/email-preview.js
index 96ffe2f949..1a709db82b 100644
--- a/app/assets/javascripts/admin/addon/models/email-preview.js
+++ b/app/assets/javascripts/admin/addon/models/email-preview.js
@@ -16,6 +16,7 @@ EmailPreview.reopenClass({
 
   sendDigest(username, lastSeenAt, email) {
     return ajax("/admin/email/send-digest.json", {
+      type: "POST",
       data: { last_seen_at: lastSeenAt || oneWeekAgo(), username, email },
     });
   },
diff --git a/config/routes.rb b/config/routes.rb
index a432005590..73f0699b6c 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -166,7 +166,7 @@ Discourse::Application.routes.draw do
           get "/incoming/:id" => "email#incoming"
           get "/incoming_from_bounced/:id" => "email#incoming_from_bounced"
           get "preview-digest" => "email#preview_digest"
-          get "send-digest" => "email#send_digest"
+          post "send-digest" => "email#send_digest"
           get "smtp_should_reject"
           post "handle_mail"
           get "advanced-test"
diff --git a/spec/requests/admin/email_controller_spec.rb b/spec/requests/admin/email_controller_spec.rb
index 3dff458e2f..a867a33fa0 100644
--- a/spec/requests/admin/email_controller_spec.rb
+++ b/spec/requests/admin/email_controller_spec.rb
@@ -201,6 +201,19 @@ describe Admin::EmailController do
     end
   end
 
+  describe '#send_digest' do
+    context "when logged in as an admin" do
+      before { sign_in(admin) }
+
+      it "sends the digest" do
+        post "/admin/email/send-digest.json", params: {
+          last_seen_at: 1.week.ago, username: admin.username, email: email('previous_replies')
+        }
+        expect(response.status).to eq(200)
+      end
+    end
+  end
+
   describe '#handle_mail' do
     it "returns a bad request if neither email parameter is present" do
       post "/admin/email/handle_mail.json"