Prevent spiders from reporting requests

Make the "report request" button submit a POST rather than a GET
request. Also restrict this action to logged-in users.

Fixes #501.

2 files changed, 7 insertions, 1 deletions

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 4592b5ac2..bd2bfc974 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -656,6 +656,12 @@ class RequestController < ApplicationController
 
     def report_request
         info_request = InfoRequest.find_by_url_title(params[:url_title])
+        return if !authenticated?(
+                :web => _("To report this FOI request"),
+                :email => _("Then you can report the request '{{title}}'", :title => info_request.title),
+                :email_subject => _("Report an offensive or unsuitable request")
+            )
+        
         if !info_request.attention_requested
             info_request.set_described_state('attention_requested')
             info_request.attention_requested = true # tells us if attention has ever been requested
diff --git a/app/views/request/_sidebar.rhtml b/app/views/request/_sidebar.rhtml
index bca142fa9..956b3988b 100644
--- a/app/views/request/_sidebar.rhtml
+++ b/app/views/request/_sidebar.rhtml
@@ -13,7 +13,7 @@
      <% else %>
       <p><%= _('Requests for personal information and vexatious requests are not considered valid for FOI purposes (<a href="/help/about">read more</a>).') %>
        <p><%= ('If you believe this request is not suitable, you can report it for attention by the site administrators') %></p>
-       <%= link_to _("Report this request"), report_path, :class => "link_button_green" %>
+       <%= link_to _("Report this request"), report_path, :class => "link_button_green", :method => "POST" %>
       <% end %>
     <% end %>
     <h2><%= _("Act on what you've learnt") %></h2>