From 9e57fedd80f8860dbf6d294c27349aea5bb94360 Mon Sep 17 00:00:00 2001
From: Howl <the@howl.moe>
Date: Wed, 16 Nov 2016 18:03:47 +0100
Subject: [PATCH] friends/add and del are now POST-only

---
 app/start.go     |  4 ++--
 app/v1/friend.go | 20 ++++++++++++++------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/app/start.go b/app/start.go
index b657ab8..aacc615 100644
--- a/app/start.go
+++ b/app/start.go
@@ -115,8 +115,8 @@ func Start(conf common.Conf, dbO *sqlx.DB) *gin.Engine {
 			gv1.GET("/users/self/settings", Method(v1.UsersSelfSettingsGET, common.PrivilegeReadConfidential))
 
 			// Write privilege required
-			gv1.GET("/friends/add", Method(v1.FriendsAddGET, common.PrivilegeWrite))
-			gv1.GET("/friends/del", Method(v1.FriendsDelGET, common.PrivilegeWrite))
+			gv1.POST("/friends/add", Method(v1.FriendsAddPOST, common.PrivilegeWrite))
+			gv1.POST("/friends/del", Method(v1.FriendsDelPOST, common.PrivilegeWrite))
 			gv1.POST("/users/self/settings", Method(v1.UsersSelfSettingsPOST, common.PrivilegeWrite))
 			gv1.POST("/users/self/userpage", Method(v1.UserSelfUserpagePOST, common.PrivilegeWrite))
 			//gv1.POST("/beatmaps/rank_requests", Method(v1.BeatmapRankRequestsSubmitPOST, common.PrivilegeWrite))
diff --git a/app/v1/friend.go b/app/v1/friend.go
index 02a901e..616658f 100644
--- a/app/v1/friend.go
+++ b/app/v1/friend.go
@@ -129,9 +129,13 @@ func FriendsWithGET(md common.MethodData) common.CodeMessager {
 	return r
 }
 
-// FriendsAddGET is the GET version of FriendsAddPOST.
-func FriendsAddGET(md common.MethodData) common.CodeMessager {
-	return addFriend(md, common.Int(md.Query("id")))
+// FriendsAddPOST adds an user to the friends.
+func FriendsAddPOST(md common.MethodData) common.CodeMessager {
+	var u struct {
+		User int `json:"user"`
+	}
+	md.RequestData.Unmarshal(&u)
+	return addFriend(md, u.User)
 }
 
 func addFriend(md common.MethodData, u int) common.CodeMessager {
@@ -174,9 +178,13 @@ func userExists(md common.MethodData, u int) (r bool) {
 	return
 }
 
-// FriendsDelGET is the GET version of FriendDelPOST.
-func FriendsDelGET(md common.MethodData) common.CodeMessager {
-	return delFriend(md, common.Int(md.Query("id")))
+// FriendsDelPOST deletes an user's friend.
+func FriendsDelPOST(md common.MethodData) common.CodeMessager {
+	var u struct {
+		User int `json:"user"`
+	}
+	md.RequestData.Unmarshal(&u)
+	return delFriend(md, u.User)
 }
 
 func delFriend(md common.MethodData, u int) common.CodeMessager {