Prevent CSRF bypass updating account details

[rails.git] / app / controllers / users_controller.rb

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 0538d04093a96fc0eba38e6a62d585edcfe79532..8e3f0a355516be99f539039855a8bd270e40b483 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -123,7 +123,7 @@ class UsersController < ApplicationController
       :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
     )
 
-    if params[:user] && params[:user][:display_name] && params[:user][:description]
+    if request.post?
       if params[:user][:auth_provider].blank? ||
          (params[:user][:auth_provider] == current_user.auth_provider &&
           params[:user][:auth_uid] == current_user.auth_uid)