From fb1a0d6d256f99159175eb245ebbb7c2055a21a6 Mon Sep 17 00:00:00 2001
From: Alex Tselegidis <alextselegidis@gmail.com>
Date: Thu, 28 May 2015 00:12:44 +0200
Subject: [PATCH] Added POST constraint to backend_api controller.

---
 src/application/controllers/backend_api.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/application/controllers/backend_api.php b/src/application/controllers/backend_api.php
index 60d58d49..27e02c78 100644
--- a/src/application/controllers/backend_api.php
+++ b/src/application/controllers/backend_api.php
@@ -9,6 +9,11 @@ class Backend_api extends CI_Controller {
     public function __construct() {
         parent::__construct();
         
+        // All the methods in this class must be accessible through a POST request. 
+        if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') {
+            $this->security->csrf_show_error();
+        }
+
         $this->load->library('session');
         $this->load->model('roles_model');
         $this->privileges = $this->roles_model->get_privileges($this->session->userdata('role_slug'));