fix: [user:resetauthkey] Method can only be accessed via POST request

- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)

app/Controller/UsersController.php

@@ -1235,6 +1235,9 @@ class UsersController extends AppController
         if (!$this->_isAdmin() && Configure::read('MISP.disableUserSelfManagement')) {
             throw new MethodNotAllowedException('User self-management has been disabled on this instance.');
         }
+        if (!$this->request->is('post') || !$this->request->is('put')) {
+            throw new MethodNotAllowedException(__('This functionality is only accessible via POST requests.'));
+        }
         if ($id == 'me') {
             $id = $this->Auth->user('id');
         }

app/View/Users/admin_view.ctp

@@ -34,7 +34,7 @@ $buttonModifyStatus = $mayModify ? 'button_on':'button_off';
         h($user['User']['authkey']),
         sprintf(
             ' (%s)',
-            $this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id']))
+            $this->Form->postLink(__('reset'), array('action' => 'resetauthkey', $user['User']['id']))
         )
     );
     $table_data[] = array(

app/View/Users/view.ctp

@@ -17,7 +17,8 @@
             (Configure::read('MISP.disableUserSelfManagement') && !$isAdmin) ? '' :
                 sprintf(
                     ' (%s)',
-                    $this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', $user['User']['id']))
+                    $this->Form->postLink(__('reset'), array('action' => 'resetauthkey', $user['User']['id']))
+
                 )
         );
     }