From 2c774a75a2e0d467fd17e63a9ebacfedc73d2cb2 Mon Sep 17 00:00:00 2001
From: Sagar Vora <16315650+sagarvora@users.noreply.github.com>
Date: Fri, 21 Nov 2025 18:11:50 +0530
Subject: [PATCH] fix: restrict `send_login_link` to POST method only

---
 frappe/www/login.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/www/login.py b/frappe/www/login.py
index 4dfa9f2a4e..91aec1fb43 100644
--- a/frappe/www/login.py
+++ b/frappe/www/login.py
@@ -140,7 +140,7 @@ def get_login_with_email_link_ratelimit() -> int:
 	return frappe.get_system_settings("rate_limit_email_link_login") or 5
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist(allow_guest=True, methods=["POST"])
 @rate_limit(limit=get_login_with_email_link_ratelimit, seconds=60 * 60)
 def send_login_link(email: str):
 	if not frappe.get_system_settings("login_with_email_link"):