Better protection against spam

app/controllers/orgas_controller.rb

@@ -4,10 +4,8 @@ class OrgasController < ApplicationController
 
   before_action :set_orga, except: [:index, :new, :create]
   before_action :set_mailer_host
-  before_action :authenticate_user!, only: [:edit, :update],
+  before_action :authenticate_user!, except: [:index, :new, :create, :show],
                                      unless: :check_secret
-  before_action :authenticate_user!, except: [:index, :new, :create, :show,
-                                              :edit, :update]
 
   def index
     @search = apply_scopes(Orga).moderated.includes(:kind,
@@ -98,6 +96,7 @@ class OrgasController < ApplicationController
 
   # Check that you can only edit an existing event if you know its secret
   def check_secret
-    !@orga.secret || @orga.secret == params[:secret]
+    !%w(validate refuse).include?(action_name) &&
+      (!@orga.secret || @orga.secret == params[:secret])
   end
 end