From 121e519e2e3e7d8999945d7d3afc30d455a33385 Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Thu, 11 Jun 2015 16:31:52 -0400
Subject: [PATCH 1/3] Point user review dashboard to ~new place

---
 www/dashboard/index.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/dashboard/index.spt b/www/dashboard/index.spt
index 0e01fb3a77..163a3170a7 100644
--- a/www/dashboard/index.spt
+++ b/www/dashboard/index.spt
@@ -54,7 +54,7 @@ title = _("Fraud Review Dashboard")
             var row = $(this).parent();
             var to = $(this).text() !== 'Good';
             var username = row.attr('username');
-            var url = "/" + username + "/toggle-is-suspicious.json";
+            var url = "/~" + username + "/toggle-is-suspicious.json";
 
             function success()
             {

From 16b029d8e26d07d54f5aece497950d7e1228ce35 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaulk@live.com>
Date: Fri, 12 Jun 2015 02:07:11 +0530
Subject: [PATCH 2/3] Only allow POST requests to toggle-is-suspicious.json

---
 www/~/%username/toggle-is-suspicious.json.spt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/www/~/%username/toggle-is-suspicious.json.spt b/www/~/%username/toggle-is-suspicious.json.spt
index a5362578b5..1549eeabb7 100644
--- a/www/~/%username/toggle-is-suspicious.json.spt
+++ b/www/~/%username/toggle-is-suspicious.json.spt
@@ -5,6 +5,8 @@ from gratipay.utils import get_participant
 if not user.ADMIN:
     raise Response(400)
 
+request.allow('POST')
+
 to = request.body.get('to')
 if not to in ('true', 'false', None):
     raise Response(400)

From a52115173d27cc747b7a66f38a39141b70d08ef3 Mon Sep 17 00:00:00 2001
From: Rohit Paul Kuruvilla <rohitpaulk@live.com>
Date: Fri, 12 Jun 2015 02:09:07 +0530
Subject: [PATCH 3/3] Fix tests

---
 tests/py/test_is_suspicious.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/py/test_is_suspicious.py b/tests/py/test_is_suspicious.py
index bbf5512282..d5fe9fe998 100644
--- a/tests/py/test_is_suspicious.py
+++ b/tests/py/test_is_suspicious.py
@@ -10,7 +10,7 @@ def setUp(self):
         self.bar = self.make_participant('bar', is_admin=True)
 
     def toggle_is_suspicious(self):
-        self.client.GET('/~foo/toggle-is-suspicious.json', auth_as='bar')
+        self.client.POST('/~foo/toggle-is-suspicious.json', auth_as='bar')
 
     def test_that_is_suspicious_defaults_to_None(self):
         foo = self.make_participant('foo', claimed_time='now')