From 5f2438780ab6797283b2f2981e23298091f9be0d Mon Sep 17 00:00:00 2001
From: Alex Bogdanovski <alex@erudika.com>
Date: Mon, 21 Jun 2021 16:50:25 +0300
Subject: [PATCH] fixed potential security issue, closes #250

---
 .../java/com/erudika/scoold/controllers/VoteController.java | 6 +++---
 src/main/resources/static/scripts/scoold.js                 | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/main/java/com/erudika/scoold/controllers/VoteController.java b/src/main/java/com/erudika/scoold/controllers/VoteController.java
index 6e6319f4..65fe9e2c 100644
--- a/src/main/java/com/erudika/scoold/controllers/VoteController.java
+++ b/src/main/java/com/erudika/scoold/controllers/VoteController.java
@@ -52,8 +52,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
@@ -83,7 +83,7 @@ public VoteController(ScooldUtils utils) {
 	}
 
 	@ResponseBody
-	@GetMapping("/voteup/{type}/{id}")
+	@PostMapping("/voteup/{type}/{id}")
 	public Boolean voteup(@PathVariable String type, @PathVariable String id, HttpServletRequest req) {
 		//addModel("voteresult", result);
 		ParaObject votable = StringUtils.isBlank(type) ? pc.read(id) : pc.read(type, id);
@@ -91,7 +91,7 @@ public Boolean voteup(@PathVariable String type, @PathVariable String id, HttpSe
 	}
 
 	@ResponseBody
-	@GetMapping("/votedown/{type}/{id}")
+	@PostMapping("/votedown/{type}/{id}")
 	public Boolean votedown(@PathVariable String type, @PathVariable String id, HttpServletRequest req) {
 		//addModel("voteresult", result);
 		ParaObject votable = StringUtils.isBlank(type) ? pc.read(id) : pc.read(type, id);
diff --git a/src/main/resources/static/scripts/scoold.js b/src/main/resources/static/scripts/scoold.js
index 5f8e2463..739eede0 100755
--- a/src/main/resources/static/scripts/scoold.js
+++ b/src/main/resources/static/scripts/scoold.js
@@ -323,7 +323,7 @@ $(function () {
 		var newvotes = parseInt(votes.text(), 10) || 0;
 		if (!dis.data("disabled")) {
 			dis.data("disabled", true);
-			$.get(this.href, function(data) {
+			$.post(this.href, function(data) {
 				if (data === true) {
 					if (up) {
 						newvotes++;