admin: use POST to run operations (#5997)

* admin: use POST to run operations Fixed CSRF reported by Wenxu Wu of Tencent's Xuanwu Lab. * Update CHANGELOG
author: ᴜɴᴋɴᴡᴏɴ <u@gogs.io> 2020-03-21 11:47:42 +0800
committer: GitHub <noreply@github.com> 2020-03-21 11:47:42 +0800
commit: 958d8b6bb4c2da66859325695b91d871e567a4fa (patch)
tree: a06d14f75c68eb760e7ad18a983aaae29ab51f66 /internal/cmd
parent: a43fc9ad17d4337dd26b9b8d867470ca8c548b41 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/internal/cmd/web.go b/internal/cmd/web.go
index fb7be88b..e8b8f57a 100644
--- a/internal/cmd/web.go
+++ b/internal/cmd/web.go
@@ -271,7 +271,7 @@ func runWeb(c *cli.Context) error {
 
 	// ***** START: Admin *****
 	m.Group("/admin", func() {
-		m.Get("", admin.Dashboard)
+		m.Combo("").Get(admin.Dashboard).Post(admin.Operation) // "/admin"
 		m.Get("/config", admin.Config)
 		m.Post("/config/test_mail", admin.SendTestMail)
 		m.Get("/monitor", admin.Monitor)
author	ᴜɴᴋɴᴡᴏɴ <u@gogs.io>	2020-03-21 11:47:42 +0800
committer	GitHub <noreply@github.com>	2020-03-21 11:47:42 +0800
commit	958d8b6bb4c2da66859325695b91d871e567a4fa (patch)
tree	a06d14f75c68eb760e7ad18a983aaae29ab51f66 /internal/cmd
parent	a43fc9ad17d4337dd26b9b8d867470ca8c548b41 (diff)