Only enable protected paths for POST requests

https://gitlab.com/gitlab-org/gitlab/merge_requests/16463 moved
protected paths from Omnibus to the application settings, but
inadvertently included throttling on GET requests instead of just POST
requests. This change restores the previous behavior.

Part of https://gitlab.com/gitlab-org/gitlab/issues/34212

changelogs/unreleased/sh-fix-protected-paths.yml

+---
+title: Only enable protected paths for POST requests
+merge_request: 19184
+author:
+type: fixed

config/initializers/rack_attack_new.rb

@@ -73,7 +73,8 @@ class Rack::Attack
   end
 
   throttle('throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req|
-    if !req.should_be_skipped? &&
+    if req.post? &&
+        !req.should_be_skipped? &&
         req.protected_path? &&
         Gitlab::Throttle.protected_paths_enabled? &&
         req.unauthenticated?
@@ -82,17 +83,19 @@ class Rack::Attack
   end
 
   throttle('throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req|
-    if req.api_request? &&
-        Gitlab::Throttle.protected_paths_enabled? &&
-        req.protected_path?
+    if req.post? &&
+        req.api_request? &&
+        req.protected_path? &&
+        Gitlab::Throttle.protected_paths_enabled?
       req.authenticated_user_id([:api])
     end
   end
 
   throttle('throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req|
-    if req.web_request? &&
-        Gitlab::Throttle.protected_paths_enabled? &&
-        req.protected_path?
+    if req.post? &&
+        req.web_request? &&
+        req.protected_path? &&
+        Gitlab::Throttle.protected_paths_enabled?
       req.authenticated_user_id([:api, :rss, :ics])
     end
   end