From ce14c0f4c7c7d55e4e3396b9934f758692c29117 Mon Sep 17 00:00:00 2001
From: Sebastien Ros <sebastien.ros@microsoft.com>
Date: Tue, 30 Jun 2015 11:19:14 -0700
Subject: [PATCH] Applying security fix

http://docs.orchardproject.net/Documentation/Patch-20150519
---
 .../Modules/Orchard.Users/Controllers/AdminController.cs | 9 +++++++--
 .../Modules/Orchard.Users/Views/Admin/Index.cshtml       | 6 +++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AdminController.cs b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AdminController.cs
index f372034b1..1c1aee52b 100644
--- a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AdminController.cs
@@ -293,6 +293,7 @@ namespace Orchard.Users.Controllers {
             return RedirectToAction("Index");
         }
 
+        [HttpPost]
         public ActionResult SendChallengeEmail(int id) {
             if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to manage users")))
                 return new HttpUnauthorizedResult();
@@ -313,7 +314,9 @@ namespace Orchard.Users.Controllers {
             return RedirectToAction("Index");
         }
 
-        public ActionResult Approve(int id) {
+        [HttpPost]
+        public ActionResult Approve(int id)
+        {
             if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to manage users")))
                 return new HttpUnauthorizedResult();
 
@@ -330,7 +333,9 @@ namespace Orchard.Users.Controllers {
             return RedirectToAction("Index");
         }
 
-        public ActionResult Moderate(int id) {
+        [HttpPost]
+        public ActionResult Moderate(int id)
+        {
             if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to manage users")))
                 return new HttpUnauthorizedResult();
 
diff --git a/src/Orchard.Web/Modules/Orchard.Users/Views/Admin/Index.cshtml b/src/Orchard.Web/Modules/Orchard.Users/Views/Admin/Index.cshtml
index c26a4c2b9..0bc07fef9 100644
--- a/src/Orchard.Web/Modules/Orchard.Users/Views/Admin/Index.cshtml
+++ b/src/Orchard.Web/Modules/Orchard.Users/Views/Admin/Index.cshtml
@@ -71,12 +71,12 @@
                     @Html.ActionLink(T("Edit").ToString(), "Edit", new { entry.User.Id }) |
                     @Html.ActionLink(T("Delete").ToString(), "Delete", new { entry.User.Id}, new { itemprop = "RemoveUrl UnsafeUrl" }) |
                     @if (entry.User.RegistrationStatus == UserStatus.Pending) {
-                        @Html.ActionLink(T("Approve").ToString(), "Approve", new { entry.User.Id })
+                        @Html.ActionLink(T("Approve").ToString(), "Approve", new { entry.User.Id }, new { itemprop = "UnsafeUrl" })
                     } else {
-                        @Html.ActionLink(T("Disable").ToString(), "Moderate", new { entry.User.Id })
+                        @Html.ActionLink(T("Disable").ToString(), "Moderate", new { entry.User.Id }, new { itemprop = "UnsafeUrl" })
                     }
                     @if (entry.User.EmailStatus == UserStatus.Pending) { <text>|</text>
-                        @Html.ActionLink(T("Send challenge E-mail").ToString(), "SendChallengeEmail", new { entry.User.Id })
+                        @Html.ActionLink(T("Send challenge E-mail").ToString(), "SendChallengeEmail", new { entry.User.Id }, new { itemprop = "UnsafeUrl" })
                     } 
                 </td>
             </tr>