Adding @RequirePOST in a bunch of places where it seems to be missing.

42f37944 · Jesse Glick · 1f8479c7 · 42f37944 · 42f37944 · 42f37944
9 changed file
--- a/core/src/main/java/hudson/model/AllView.java
+++ b/core/src/main/java/hudson/model/AllView.java
@@ -35,6 +35,7 @@ import java.util.Collection;

 import hudson.model.Descriptor.FormException;
 import hudson.Extension;
+import org.kohsuke.stapler.interceptor.RequirePOST;

 /**
 * {@link View} that contains everything.
@@ -68,6 +69,7 @@ public class AllView extends View {
        return true;
    }

+    @RequirePOST
    @Override
    public Item doCreateItem(StaplerRequest req, StaplerResponse rsp)
            throws IOException, ServletException {

--- a/core/src/main/java/hudson/model/Computer.java
+++ b/core/src/main/java/hudson/model/Computer.java
@@ -1078,6 +1078,7 @@ public /*transient*/ abstract class Computer extends Actionable implements Acces
            runs.newBuilds(), Run.FEED_ADAPTER, req, rsp );
    }

+    @RequirePOST
    public HttpResponse doToggleOffline(@QueryParameter String offlineMessage) throws IOException, ServletException {
        if(!temporarilyOffline) {
            checkPermission(DISCONNECT);
@@ -1093,6 +1094,7 @@ public /*transient*/ abstract class Computer extends Actionable implements Acces
        return HttpResponses.redirectToDot();
    }

+    @RequirePOST
    public HttpResponse doChangeOfflineCause(@QueryParameter String offlineMessage) throws IOException, ServletException {
        checkPermission(DISCONNECT);
        offlineMessage = Util.fixEmptyAndTrim(offlineMessage);
@@ -1237,6 +1239,7 @@ public /*transient*/ abstract class Computer extends Actionable implements Acces
     * Really deletes the slave.
     */
    @CLIMethod(name="delete-node")
+    @RequirePOST
    public HttpResponse doDoDelete() throws IOException {
        checkPermission(DELETE);
        Node node = getNode();

--- a/core/src/main/java/hudson/model/ListView.java
+++ b/core/src/main/java/hudson/model/ListView.java
@@ -256,6 +256,7 @@ public class ListView extends View implements Saveable {
        return statusFilter;
    }

+    @RequirePOST
    public Item doCreateItem(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
        ItemGroup<? extends TopLevelItem> ig = getOwnerItemGroup();
        if (ig instanceof ModifiableItemGroup) {

--- a/core/src/main/java/hudson/model/MyView.java
+++ b/core/src/main/java/hudson/model/MyView.java
@@ -37,6 +37,7 @@ import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.DataBoundConstructor;
 import hudson.model.Descriptor.FormException;
 import hudson.Extension;
+import org.kohsuke.stapler.interceptor.RequirePOST;

 /**
 * {@link View} that only contains projects for which the current user has access to.
@@ -60,6 +61,7 @@ public class MyView extends View {
        return item.hasPermission(Job.CONFIGURE);
    }

+    @RequirePOST
    @Override
    public TopLevelItem doCreateItem(StaplerRequest req, StaplerResponse rsp)
            throws IOException, ServletException {

--- a/core/src/main/java/hudson/model/ProxyView.java
+++ b/core/src/main/java/hudson/model/ProxyView.java
@@ -38,6 +38,7 @@ import org.kohsuke.stapler.Stapler;
 import org.kohsuke.stapler.StaplerFallback;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.interceptor.RequirePOST;

 /**
 * A view that delegates to another.
@@ -105,6 +106,7 @@ public class ProxyView extends View implements StaplerFallback {
        this.proxiedViewName = proxiedViewName;
    }

+    @RequirePOST
    @Override
    public Item doCreateItem(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
        return getProxiedView().doCreateItem(req, rsp);

--- a/core/src/main/java/hudson/model/TreeView.java
+++ b/core/src/main/java/hudson/model/TreeView.java
@@ -41,6 +41,7 @@ import java.util.List;
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.concurrent.CopyOnWriteArrayList;
+import org.kohsuke.stapler.interceptor.RequirePOST;

 /**
 *
@@ -106,6 +107,7 @@ public class TreeView extends View implements ViewGroup {
 //        return jobNames.contains(item.getName());
    }

+    @RequirePOST
    public TopLevelItem doCreateItem(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
        ItemGroup<? extends TopLevelItem> ig = getOwnerItemGroup();
        if (ig instanceof ModifiableItemGroup) {

--- a/core/src/main/java/hudson/model/View.java
+++ b/core/src/main/java/hudson/model/View.java
@@ -932,6 +932,7 @@ public abstract class View extends AbstractModelObject implements AccessControll
    /**
     * Accepts the new description.
     */
+    @RequirePOST
    public synchronized void doSubmitDescription( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
        checkPermission(CONFIGURE);


--- a/core/src/main/java/hudson/slaves/SlaveComputer.java
+++ b/core/src/main/java/hudson/slaves/SlaveComputer.java
@@ -87,6 +87,7 @@ import org.acegisecurity.context.SecurityContextHolder;
 import org.kohsuke.stapler.ResponseImpl;
 import org.kohsuke.stapler.WebMethod;
 import org.kohsuke.stapler.compression.FilterServletOutputStream;
+import org.kohsuke.stapler.interceptor.RequirePOST;

 /**
 * {@link Computer} for {@link Slave}s.
@@ -527,6 +528,7 @@ public class SlaveComputer extends Computer {
            return channel.call(new SlaveLogFetcher());
    }

+    @RequirePOST
    public HttpResponse doDoDisconnect(@QueryParameter String offlineMessage) throws IOException, ServletException {
        if (channel!=null) {
            //does nothing in case computer is already disconnected
@@ -554,6 +556,7 @@ public class SlaveComputer extends Computer {
        });
    }

+    @RequirePOST
    public void doLaunchSlaveAgent(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
        if(channel!=null) {
            req.getView(this,"already-launched.jelly").forward(req, rsp);

--- a/core/src/main/java/jenkins/model/Jenkins.java
+++ b/core/src/main/java/jenkins/model/Jenkins.java
@@ -2775,6 +2775,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
    /**
     * Accepts submission from the node configuration page.
     */
+    @RequirePOST
    public synchronized void doConfigExecutorsSubmit( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException, FormException {
        checkPermission(ADMINISTER);

@@ -2799,10 +2800,12 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
    /**
     * Accepts the new description.
     */
+    @RequirePOST
    public synchronized void doSubmitDescription( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
        getPrimaryView().doSubmitDescription(req, rsp);
    }

+    @RequirePOST
    public synchronized HttpRedirect doQuietDown() throws IOException {
        try {
            return doQuietDown(false,0);
@@ -2812,6 +2815,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
    }

    @CLIMethod(name="quiet-down")
+    @RequirePOST
    public HttpRedirect doQuietDown(
            @Option(name="-block",usage="Block until the system really quiets down and no builds are running") @QueryParameter boolean block,
            @Option(name="-timeout",usage="If non-zero, only block up to the specified number of milliseconds") @QueryParameter int timeout) throws InterruptedException, IOException {
@@ -2831,6 +2835,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
    }

    @CLIMethod(name="cancel-quiet-down")
+    @RequirePOST
    public synchronized HttpRedirect doCancelQuietDown() {
        checkPermission(ADMINISTER);
        isQuietingDown = false;
@@ -2885,6 +2890,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
        return r;
    }

+    @RequirePOST
    public synchronized TopLevelItem doCreateItem( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException {
        return itemGroupMixIn.createTopLevelItem(req, rsp);
    }
@@ -2908,6 +2914,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
        return (T)copy((TopLevelItem)src,name);
    }

+    @RequirePOST
    public synchronized void doCreateView( StaplerRequest req, StaplerResponse rsp ) throws IOException, ServletException, FormException {
        checkPermission(View.CREATE);
        addView(View.create(req,rsp, this));
@@ -3086,6 +3093,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
     * For debugging. Expose URL to perform GC.
     */
    @edu.umd.cs.findbugs.annotations.SuppressWarnings("DM_GC")
+    @RequirePOST
    public void doGc(StaplerResponse rsp) throws IOException {
        checkPermission(Jenkins.ADMINISTER);
        System.gc();
@@ -3131,6 +3139,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
     * Simulates OutOfMemoryError.
     * Useful to make sure OutOfMemoryHeapDump setting.
     */
+    @RequirePOST
    public void doSimulateOutOfMemory() throws IOException {
        checkPermission(ADMINISTER);

@@ -3299,6 +3308,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
     * @since 1.161
     */
    @CLIMethod(name="shutdown")
+    @RequirePOST
    public void doExit( StaplerRequest req, StaplerResponse rsp ) throws IOException {
        checkPermission(ADMINISTER);
        LOGGER.severe(String.format("Shutting down VM as requested by %s from %s",
@@ -3320,6 +3330,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
     * @since 1.332
     */
    @CLIMethod(name="safe-shutdown")
+    @RequirePOST
    public HttpResponse doSafeExit(StaplerRequest req) throws IOException {
        checkPermission(ADMINISTER);
        isQuietingDown = true;
@@ -3444,6 +3455,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
        rsp.sendRedirect2(ref);
    }

+    @RequirePOST
    public void doFingerprintCleanup(StaplerResponse rsp) throws IOException {
        FingerprintCleanupThread.invoke();
        rsp.setStatus(HttpServletResponse.SC_OK);
@@ -3451,6 +3463,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
        rsp.getWriter().println("Invoked");
    }

+    @RequirePOST
    public void doWorkspaceCleanup(StaplerResponse rsp) throws IOException {
        WorkspaceCleanupThread.invoke();
        rsp.setStatus(HttpServletResponse.SC_OK);
@@ -3865,6 +3878,7 @@ public class Jenkins extends AbstractCIBase implements ModifiableTopLevelItemGro
            return logRecords;
        }

+        @RequirePOST
        public void doLaunchSlaveAgent(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
            // this computer never returns null from channel, so
            // this method shall never be invoked.