friends/add and del are now POST-only

app/start.go

@@ -115,8 +115,8 @@ func Start(conf common.Conf, dbO *sqlx.DB) *gin.Engine {
 			gv1.GET("/users/self/settings", Method(v1.UsersSelfSettingsGET, common.PrivilegeReadConfidential))
 
 			// Write privilege required
-			gv1.GET("/friends/add", Method(v1.FriendsAddGET, common.PrivilegeWrite))
-			gv1.GET("/friends/del", Method(v1.FriendsDelGET, common.PrivilegeWrite))
+			gv1.POST("/friends/add", Method(v1.FriendsAddPOST, common.PrivilegeWrite))
+			gv1.POST("/friends/del", Method(v1.FriendsDelPOST, common.PrivilegeWrite))
 			gv1.POST("/users/self/settings", Method(v1.UsersSelfSettingsPOST, common.PrivilegeWrite))
 			gv1.POST("/users/self/userpage", Method(v1.UserSelfUserpagePOST, common.PrivilegeWrite))
 			//gv1.POST("/beatmaps/rank_requests", Method(v1.BeatmapRankRequestsSubmitPOST, common.PrivilegeWrite))

app/v1/friend.go

@@ -129,9 +129,13 @@ func FriendsWithGET(md common.MethodData) common.CodeMessager {
 	return r
 }
 
-// FriendsAddGET is the GET version of FriendsAddPOST.
-func FriendsAddGET(md common.MethodData) common.CodeMessager {
-	return addFriend(md, common.Int(md.Query("id")))
+// FriendsAddPOST adds an user to the friends.
+func FriendsAddPOST(md common.MethodData) common.CodeMessager {
+	var u struct {
+		User int `json:"user"`
+	}
+	md.RequestData.Unmarshal(&u)
+	return addFriend(md, u.User)
 }
 
 func addFriend(md common.MethodData, u int) common.CodeMessager {
@@ -174,9 +178,13 @@ func userExists(md common.MethodData, u int) (r bool) {
 	return
 }
 
-// FriendsDelGET is the GET version of FriendDelPOST.
-func FriendsDelGET(md common.MethodData) common.CodeMessager {
-	return delFriend(md, common.Int(md.Query("id")))
+// FriendsDelPOST deletes an user's friend.
+func FriendsDelPOST(md common.MethodData) common.CodeMessager {
+	var u struct {
+		User int `json:"user"`
+	}
+	md.RequestData.Unmarshal(&u)
+	return delFriend(md, u.User)
 }
 
 func delFriend(md common.MethodData, u int) common.CodeMessager {