Separate out GET and POST more explicitly

- No longer allow uploading directly via GET, that is terrible for
  security. Instead, use the GET parameters to pre-fill the upload form.
- PageRequestEvent has a `method` property that can be checked in
  extensions

ext/admin/main.php

@@ -86,16 +86,15 @@ class AdminPage extends Extension
                 parse_str($event->args[1], $_GET);
                 $_SERVER['REQUEST_URI'] .= "?" . $event->args[1];
             }
-            send_event(new PageRequestEvent($event->args[0]));
+            send_event(new PageRequestEvent("GET", $event->args[0]));
             $page->display();
         }
         if ($event->cmd == "post-page") {
             global $page;
-            $_SERVER['REQUEST_METHOD'] = "POST";
             if (isset($event->args[1])) {
                 parse_str($event->args[1], $_POST);
             }
-            send_event(new PageRequestEvent($event->args[0]));
+            send_event(new PageRequestEvent("POST", $event->args[0]));
             $page->display();
         }
         if ($event->cmd == "get-token") {