From f980b601454ad6c6cd6dc6709f113a57edf9d4fe Mon Sep 17 00:00:00 2001
From: echarp <manu@echarp.org>
Date: Tue, 26 Jan 2016 15:31:03 +0100
Subject: [PATCH] Better protection against spam

---
 app/controllers/orgas_controller.rb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/app/controllers/orgas_controller.rb b/app/controllers/orgas_controller.rb
index 724c57ab..82ebd4b7 100644
--- a/app/controllers/orgas_controller.rb
+++ b/app/controllers/orgas_controller.rb
@@ -4,10 +4,8 @@ class OrgasController < ApplicationController
 
   before_action :set_orga, except: [:index, :new, :create]
   before_action :set_mailer_host
-  before_action :authenticate_user!, only: [:edit, :update],
+  before_action :authenticate_user!, except: [:index, :new, :create, :show],
                                      unless: :check_secret
-  before_action :authenticate_user!, except: [:index, :new, :create, :show,
-                                              :edit, :update]
 
   def index
     @search = apply_scopes(Orga).moderated.includes(:kind,
@@ -98,6 +96,7 @@ class OrgasController < ApplicationController
 
   # Check that you can only edit an existing event if you know its secret
   def check_secret
-    !@orga.secret || @orga.secret == params[:secret]
+    !%w(validate refuse).include?(action_name) &&
+      (!@orga.secret || @orga.secret == params[:secret])
   end
 end