switch to POST for posting comments

4 files changed, 38 insertions, 26 deletions

diff --git a/src/web/_controller/_comments.php b/src/web/_controller/_comments.php
index eea792f..3b8fe35 100644
--- a/src/web/_controller/_comments.php
+++ b/src/web/_controller/_comments.php
@@ -17,20 +17,12 @@ class _comments_controller extends Controller {
 	}
 
 	public function post(): void {
-		$author = ''; $content = ''; $ref = '';
-		if (
-			!array_key_exists('author', $_GET) ||
-			!array_key_exists('content', $_GET) ||
-			!array_key_exists('ref', $_GET) ||
-			!array_key_exists('page', $_GET)
-		) {
-			$this->error(400); return;
-		}
 
-		$author = trim($_GET['author']);
-		$content = trim($_GET['content']);
-		$page = $_GET['page'];
-		$ref = $_GET['ref'];
+		$author = trim($this->post_data('author'));
+		$content = trim($this->post_data('content'));
+		$page = $this->post_data('page');
+		$ref = $this->post_data('ref');
+
 		$url = NULL;
 
 		$author_len = strlen($author);
@@ -55,7 +47,7 @@ class _comments_controller extends Controller {
 		try {
 			$ref = base64_decode($ref);
 			$url = parse_url($ref);
-			if (!$url && array_key_exists('host', $url)) {
+			if (!$url || array_key_exists('host', $url)) {
 				// dont allow redirects off this site
 				$this->error(400);
 				return;
diff --git a/src/web/_model/_comments.php b/src/web/_model/_comments.php
index f36c642..3518508 100644
--- a/src/web/_model/_comments.php
+++ b/src/web/_model/_comments.php
@@ -1,6 +1,13 @@
 <?php /* Copyright (c) 2024 Freya Murphy */
 class _comments_model extends Model {
 
+	private $profanity;
+
+	function __construct()
+	{
+		$this->profanity = $this->load_profanity();
+	}
+
 	private function load_profanity()
 	{
 		$path = ASSET_ROOT . '/profanity.txt';
@@ -24,8 +31,7 @@ class _comments_model extends Model {
 
 	public function is_vulgar($text)
 	{
-		$profanity = $this->load_profanity();
-		return preg_match($profanity, $text);
+		return preg_match($this->profanity, $text);
 	}
 
 	public function get_comments($page)
@@ -45,15 +51,6 @@ class _comments_model extends Model {
 		return $result;
 	}
 
-	public function ban_user()
-	{
-		$ip = CONTEXT['ip'];
-		$this->db()
-			->insert_into('admin.banned', 'ip', 'reason')
-			->values($ip, 'vulgar language')
-			->execute();
-	}
-
 	public function post_comment($author, $content, $page, $vulgar)
 	{
 		$ip = CONTEXT['ip'];
diff --git a/src/web/_views/comments.php b/src/web/_views/comments.php
index d566549..f67a90b 100644
--- a/src/web/_views/comments.php
+++ b/src/web/_views/comments.php
@@ -17,7 +17,7 @@
 	?>
 	<div class="new">
 		<h3><?=lang('new_comment_title')?></h3>
-		<form id="new_comment" method="get" action="<?=$this->get_url('_comments/post')?>">
+		<form id="new_comment" method="post" action="<?=$this->get_url('_comments/post')?>">
 			<div><input
 				type="text"
 				name="author"
diff --git a/src/web/core/controller.php b/src/web/core/controller.php
index ac1e458..ca892e2 100644
--- a/src/web/core/controller.php
+++ b/src/web/core/controller.php
@@ -39,4 +39,27 @@ abstract class Controller extends Component {
 		die();
 	}
 
+	/**
+	 * Returns HTTP POST information if POST request.
+	 * Returns 405 Method Not Allowed if not.
+	 *
+	 * If $key is specified, returns only that key. otherwise
+	 * returns HTTP 400 Bad Request;
+	 */
+	protected function post_data(?string $key = NULL): array|string
+	{
+		// only post requests allowed
+		if ($_SERVER['REQUEST_METHOD'] != 'POST')
+			$this->error(405);
+
+		// return entire $_POST array
+		if (!$key)
+			return $_POST;
+
+		if (!isset($_POST[$key]))
+			$this->error(400);
+
+		return $_POST[$key];
+	}
+
 }