Make .../build URL use regular RequirePOST notice

daniel-beck · daniel-beck · commit a369a106f182 · 2026-02-19T14:34:22.000+01:00
diff --git a/core/src/main/java/hudson/model/BuildAuthorizationToken.java b/core/src/main/java/hudson/model/BuildAuthorizationToken.java
@@ -35,17 +35,20 @@
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
+import java.util.ServiceLoader;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import jenkins.model.Jenkins;
 import jenkins.model.ParameterizedJobMixIn;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
+import org.kohsuke.stapler.ForwardToView;
 import org.kohsuke.stapler.HttpResponses;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerRequest2;
 import org.kohsuke.stapler.StaplerResponse;
 import org.kohsuke.stapler.StaplerResponse2;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 import org.springframework.security.access.AccessDeniedException;
 
 /**
@@ -124,6 +127,13 @@ public static void checkPermission(Job<?, ?> project, BuildAuthorizationToken to
             return;
         }
 
+        for (RequirePOST.ErrorCustomizer handler : ServiceLoader.load(RequirePOST.ErrorCustomizer.class)) {
+            ForwardToView forwardToView = handler.getForwardView();
+            if (forwardToView != null) {
+                throw forwardToView.with("requestURL", req.getRequestURLWithQueryString().toString());
+            }
+        }
+
         rsp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
         rsp.addHeader("Allow", "POST");
         throw HttpResponses.forwardToView(project, "requirePOST.jelly");
diff --git a/core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly b/core/src/main/resources/hudson/security/csrf/CrumbFilter/retry.jelly
@@ -25,7 +25,8 @@ THE SOFTWARE.
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
     <st:statusCode value="405"/>
-    <l:layout norefresh="true" title="${%Method Not Allowed}">
+    <st:header name="Allow" value="POST" />
+    <l:layout title="${%Method Not Allowed}">
 
         <l:main-panel>
             <h1>${%This URL requires POST}</h1>
