557322 - If the request to /services/paypal isn't a POST, abort

Status: RESOLVED FIXED

(addons.mozilla.org Graveyard :: Code Quality, enhancement, P5)

Description

[Wil Clouser [:clouserw]]

Attachment: if not post; gtfo

This is just a code quality thing I was looking at.  If a request comes in to /services/paypal we send a request to paypal, wait for a response, and then print out an answer.  If a request isn't POST, there is no reason to even look at it.

...I think.  I want someone to back me up on that before I commit anything. ;)  This bug is low priority like author names not being lined up right in IE6.

Comment 1

[Fred Wenzel [:wenzel]]

Comment on attachment 437111 [details] [diff] [review]
if not post; gtfo

I agree with your reasoning: It's important that we don't send a code 200 unless the request succeeds, and just running into a code 500 is sloppy, so might as well turn non-POST requests away at the door.

However, r- because: 403 is the wrong response code, 405 is the right one. Also, Django has a require_POST decorator that'll do the work for you: http://www.b-list.org/weblog/2007/dec/11/http/

Comment 2

[Wil Clouser [:clouserw]]

I didn't change the response code because paypal is picky about those things and I assumed someone else read the spec.  But fine, I'll read it myself :)

Comment 3

[Jeff Balogh (:jbalogh)]

(In reply to comment #2)
> I didn't change the response code because paypal is picky about those things
> and I assumed someone else read the spec.  But fine, I'll read it myself :)

I'm pretty sure paypal has no idea that HTTP has response codes.

Comment 4

[Wil Clouser [:clouserw]]

someone already did this