From c4a1d5386ab27967d89bd9a5f1269544bb0d92d5 Mon Sep 17 00:00:00 2001
From: Ryan Bigg <radarlistener@gmail.com>
Date: Fri, 11 Oct 2013 13:22:44 +1100
Subject: [PATCH] Non-GET requests that would usually non-ssl-redirect will now
 respond with HTTP status 426

Conflicts:
	core/spec/lib/spree/core/controller_helpers/ssl_spec.rb
---
 core/config/locales/en.yml                    |  2 ++
 core/lib/spree/core/controller_helpers/ssl.rb | 20 +++++++++++--------
 .../spree/core/controller_helpers/ssl_spec.rb |  9 +++++++++
 3 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/core/config/locales/en.yml b/core/config/locales/en.yml
index 24f219b6834..ed62ce74b0a 100644
--- a/core/config/locales/en.yml
+++ b/core/config/locales/en.yml
@@ -1002,6 +1002,8 @@ en:
     special_instructions: Special Instructions
     split: Split
     spree_gateway_error_flash_for_checkout: There was a problem with your payment information. Please check your information and try again.
+    ssl:
+      change_protocol: "Please switch to using HTTP (rather than HTTPS) and retry this request."
     start: Start
     state: State
     state_based: State Based
diff --git a/core/lib/spree/core/controller_helpers/ssl.rb b/core/lib/spree/core/controller_helpers/ssl.rb
index 456e79ed9f4..f3c2895efca 100644
--- a/core/lib/spree/core/controller_helpers/ssl.rb
+++ b/core/lib/spree/core/controller_helpers/ssl.rb
@@ -41,14 +41,18 @@ def ssl_allowed?
             # * <tt>host</tt> - Redirect to a different host name
             def force_non_ssl_redirect(host = nil)
               if request.ssl? && !ssl_allowed?
-                redirect_options = {
-                  :protocol => 'http://',
-                  :host     => host || request.host,
-                  :path     => request.fullpath,
-                }
-                flash.keep if respond_to?(:flash)
-                insecure_url = ActionDispatch::Http::URL.url_for(redirect_options)
-                redirect_to insecure_url, :status => :moved_permanently
+                if request.get?
+                  redirect_options = {
+                    :protocol => 'http://',
+                    :host     => host || request.host,
+                    :path     => request.fullpath,
+                  }
+                  flash.keep if respond_to?(:flash)
+                  insecure_url = ActionDispatch::Http::URL.url_for(redirect_options)
+                  redirect_to insecure_url, :status => :moved_permanently
+                else
+                  render :text => Spree.t(:change_protocol, :scope => :ssl), :status => :upgrade_required
+                end
               end
             end
         end
diff --git a/core/spec/lib/spree/core/controller_helpers/ssl_spec.rb b/core/spec/lib/spree/core/controller_helpers/ssl_spec.rb
index 255535f8136..3e4ffd24923 100644
--- a/core/spec/lib/spree/core/controller_helpers/ssl_spec.rb
+++ b/core/spec/lib/spree/core/controller_helpers/ssl_spec.rb
@@ -4,6 +4,7 @@
   controller do
     include Spree::Core::ControllerHelpers::SSL
     def index; render text: 'index'; end
+    def create; end
     def self.ssl_supported?; true; end
   end
 
@@ -34,6 +35,14 @@ def self.ssl_supported?; true; end
       controller(described_class){ }
       specify{ get(:index).should be_redirect }
     end
+    context 'using a post returns a HTTP status 426' do
+      controller(described_class){ }
+      specify do
+        post(:create)
+        response.body.should == "Please switch to using HTTP (rather than HTTPS) and retry this request."
+        response.status.should == 426
+      end
+    end
   end
 
   describe 'redirect to https' do