[BREAKING] views/comments: /new: Accept only POST

Mixing query params and POST body is hard to understand,
error prone and harder to verify programmatically.

Since this breaks comment creation if clients continue to
only provide `uri` via query params, mark as **BREAKING**

isso/views/comments.py

@@ -219,14 +219,14 @@ def verify(cls, comment):
     @api {post} /new create new
     @apiGroup Comment
     @apiName new
-    @apiVersion 0.12.6
+    @apiVersion 0.13.0
     @apiDescription
         Creates a new comment. The server issues a cookie per new comment which acts as
         an authentication token to modify or delete the comment.
         The token is cryptographically signed and expires automatically after 900 seconds (=15min) by default.
     @apiUse csrf
 
-    @apiQuery {String} uri
+    @apiBody {String} uri
         The uri of the thread to create the comment on.
     @apiBody {String{3...65535}} text
         The comment’s raw text.
@@ -240,7 +240,7 @@ def verify(cls, comment):
         The parent comment’s id if the new comment is a response to an existing comment.
 
     @apiExample {curl} Create a reply to comment with id 15:
-        curl 'https://comments.example.com/new?uri=/thread/' -d '{"text": "Stop saying that! *isso*!", "author": "Max Rant", "email": "rant@example.com", "parent": 15}' -H 'Content-Type: application/json' -c cookie.txt
+        curl 'https://comments.example.com/new' -d '{"uri": "/thread/", "text": "Stop saying that! *isso*!", "author": "Max Rant", "email": "rant@example.com", "parent": 15}' -H 'Content-Type: application/json' -c cookie.txt
 
     @apiUse commentResponse
 
@@ -263,10 +263,10 @@ def verify(cls, comment):
         }
     """
     @xhr
-    @requires(str, 'uri')
-    def new(self, environ, request, uri):
+    def new(self, environ, request):
 
         data = request.json
+        uri = data.get('uri')
 
         for field in set(data.keys()) - API.ACCEPT:
             data.pop(field)