Merge pull request #85 from CPS-IT/fix/harden-methods

[BUGFIX] Harden security check for allowed HTTP methods

Classes/Controller/MailqueueModuleController.php

@@ -60,13 +60,7 @@ public function __construct(
 
     public function __invoke(Message\ServerRequestInterface $request): Message\ResponseInterface
     {
-        $this->assertAllowedHttpMethod($request, 'GET', 'POST');
-
-        $template = $this->moduleTemplateFactory->create($request);
-        $transport = $this->mailer->getTransport();
         $page = $this->resolvePageIdFromRequest($request);
-        $sendId = $request->getQueryParams()['send'] ?? null;
-        $deleteId = $request->getQueryParams()['delete'] ?? null;
 
         // Force redirect when page selector was used
         if ($request->getMethod() === 'POST' && !isset($request->getQueryParams()['page'])) {
@@ -75,6 +69,13 @@ public function __invoke(Message\ServerRequestInterface $request): Message\Respo
             );
         }
 
+        $this->assertAllowedHttpMethod($request, 'GET');
+
+        $template = $this->moduleTemplateFactory->create($request);
+        $transport = $this->mailer->getTransport();
+        $sendId = $request->getQueryParams()['send'] ?? null;
+        $deleteId = $request->getQueryParams()['delete'] ?? null;
+
         if ($transport instanceof Mail\Transport\QueueableTransport) {
             $templateVariables = $this->resolveTemplateVariables($transport, $page, $sendId, $deleteId);
         } else {