]> git.openstreetmap.org Git - rails.git/blobdiff - app/controllers/user_controller.rb
projects / rails.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Force openid callbacks to use GET to avoid CSRF validation issues
[rails.git] / app / controllers / user_controller.rb
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index fa93313b3df5a782b18172359970edeba02ef340..92a602ff17776a26b9c2ab43e237409daedcc0bf 100644 (file)
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -1,6 +1,7 @@
 class UserController < ApplicationController
   layout :choose_layout
 
+  skip_before_filter :verify_authenticity_token, :only => [:api_details, :api_gpx_files]
   before_filter :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details]
   before_filter :authorize, :only => [:api_details, :api_gpx_files]
   before_filter :authorize_web, :except => [:api_details, :api_gpx_files]
@@ -252,6 +253,10 @@ class UserController < ApplicationController
   def new
     @title = t 'user.new.title'
     @referer = params[:referer] || session[:referer]
+    @user = User.new(:email => params[:email],
+                     :email_confirmation => params[:email],
+                     :display_name => params[:nickname],
+                     :openid_url => params[:openid])
 
     if session[:user]
       # The user is logged in already, so don't show them the signup
@@ -517,7 +522,7 @@ private
     end
 
     # Start the authentication
-    authenticate_with_open_id(openid_expand_url(openid_url), :required => required) do |result, identity_url, sreg, ax|
+    authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => required) do |result, identity_url, sreg, ax|
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.
@@ -565,7 +570,7 @@ private
   def openid_verify(openid_url, user)
     user.openid_url = openid_url
 
-    authenticate_with_open_id(openid_expand_url(openid_url)) do |result, identity_url|
+    authenticate_with_open_id(openid_expand_url(openid_url), :method => :get) do |result, identity_url|
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.
The OpenStreetMap web site