point user review dashboard to ~new place

tests/py/test_is_suspicious.py

@@ -10,7 +10,7 @@ def setUp(self):
         self.bar = self.make_participant('bar', is_admin=True)
 
     def toggle_is_suspicious(self):
-        self.client.GET('/~foo/toggle-is-suspicious.json', auth_as='bar')
+        self.client.POST('/~foo/toggle-is-suspicious.json', auth_as='bar')
 
     def test_that_is_suspicious_defaults_to_None(self):
         foo = self.make_participant('foo', claimed_time='now')

www/dashboard/index.spt

@@ -54,7 +54,7 @@ title = _("Fraud Review Dashboard")
             var row = $(this).parent();
             var to = $(this).text() !== 'Good';
             var username = row.attr('username');
-            var url = "/" + username + "/toggle-is-suspicious.json";
+            var url = "/~" + username + "/toggle-is-suspicious.json";
 
             function success()
             {

www/~/%username/toggle-is-suspicious.json.spt

@@ -5,6 +5,8 @@ from gratipay.utils import get_participant
 if not user.ADMIN:
     raise Response(400)
 
+request.allow('POST')
+
 to = request.body.get('to')
 if not to in ('true', 'false', None):
     raise Response(400)