delete/move is now POST

README.md

@@ -281,6 +281,9 @@ server-os-specific:
 
 upgrade notes
 
+* `1.6.0`:
+  * http-api: delete/move is now `POST` instead of `GET`
+  * everything other than `GET` and `HEAD` must pass [cors validation](#cors)
 * `1.5.0` (2022-12-03): [new chunksize formula](https://github.com/9001/copyparty/commit/54e1c8d261df) for files larger than 128 GiB
   * **users:** upgrade to the latest [cli uploader](https://github.com/9001/copyparty/blob/hovudstraum/bin/up2k.py) if you use that
   * **devs:** update third-party up2k clients (if those even exist)

copyparty/__main__.py

@@ -821,6 +821,7 @@ def add_hooks(ap):
 def add_yolo(ap):
     ap2 = ap.add_argument_group('yolo options')
     ap2.add_argument("--allow-csrf", action="store_true", help="disable csrf protections; let other domains/sites impersonate you through cross-site requests")
+    ap2.add_argument("--getmod", action="store_true", help="permit ?move=[...] and ?delete as GET")
 
 
 def add_optouts(ap):

copyparty/httpcli.py

@@ -747,15 +747,16 @@ class HttpCli(object):
         if "tree" in self.uparam:
             return self.tx_tree()
 
-        if "delete" in self.uparam:
-            return self.handle_rm([])
-
-        if "move" in self.uparam:
-            return self.handle_mv()
-
         if "scan" in self.uparam:
             return self.scanvol()
 
+        if self.args.getmod:
+            if "delete" in self.uparam:
+                return self.handle_rm([])
+
+            if "move" in self.uparam:
+                return self.handle_mv()
+
         if not self.vpath:
             if "reload" in self.uparam:
                 return self.handle_reload()
@@ -1200,6 +1201,12 @@ class HttpCli(object):
         if "raw" in self.uparam:
             return self.handle_stash(False)
 
+        if "delete" in self.uparam:
+            return self.handle_rm([])
+
+        if "move" in self.uparam:
+            return self.handle_mv()
+
         ctype = self.headers.get("content-type", "").lower()
         if not ctype:
             raise Pebkac(400, "you can't post without a content-type header")

copyparty/web/browser.js

@@ -3392,7 +3392,7 @@ var fileman = (function () {
 			}
 
 			var xhr = new XHR();
-			xhr.open('GET', f[0].src + '?move=' + dst, true);
+			xhr.open('POST', f[0].src + '?move=' + dst, true);
 			xhr.onload = xhr.onerror = rename_cb;
 			xhr.send();
 		}
@@ -3423,7 +3423,7 @@ var fileman = (function () {
 			}
 			toast.show('inf r', 0, esc(L.fd_busy.format(vps.length + 1, vp)), 'r');
 
-			xhr.open('GET', vp + '?delete', true);
+			xhr.open('POST', vp + '?delete', true);
 			xhr.onload = xhr.onerror = delete_cb;
 			xhr.send();
 		}
@@ -3531,7 +3531,7 @@ var fileman = (function () {
 
 			var dst = get_evpath() + vp.split('/').pop();
 
-			xhr.open('GET', vp + '?move=' + dst, true);
+			xhr.open('POST', vp + '?move=' + dst, true);
 			xhr.onload = xhr.onerror = paste_cb;
 			xhr.send();
 		}

docs/devnotes.md

@@ -127,7 +127,7 @@ authenticate using header `Cookie: cppwd=foo` or url param `&pw=foo`
 
 | method | params | result |
 |--|--|--|
-| GET | `?move=/foo/bar` | move/rename the file/folder at URL to /foo/bar |
+| POST | `?move=/foo/bar` | move/rename the file/folder at URL to /foo/bar |
 
 | method | params | body | result |
 |--|--|--|--|
@@ -137,7 +137,7 @@ authenticate using header `Cookie: cppwd=foo` or url param `&pw=foo`
 | mPOST | | `act=bput`, `f=FILE` | upload `FILE` into the folder at URL |
 | mPOST | `?j` | `act=bput`, `f=FILE` | ...and reply with json |
 | mPOST | | `act=mkdir`, `name=foo` | create directory `foo` at URL |
-| GET | `?delete` | | delete URL recursively |
+| POST | `?delete` | | delete URL recursively |
 | jPOST | `?delete` | `["/foo","/bar"]` | delete `/foo` and `/bar` recursively |
 | uPOST | | `msg=foo` | send message `foo` into server log |
 | mPOST | | `act=tput`, `body=TEXT` | overwrite markdown document at URL |