Prevent CSRF bypass with login form

[rails.git] / app / controllers / users_controller.rb

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index c2cbca4ae8defe29675e24ab933c37c732e49aa2..aa504e3131a23380572d4f4d70d8e20aa9e59f3a 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -276,7 +276,7 @@ class UsersController < ApplicationController
 
     session[:referer] = safe_referer(params[:referer]) if params[:referer]
 
-    if params[:username].present? && params[:password].present?
+    if request.post?
       session[:remember_me] ||= params[:remember_me]
       password_authentication(params[:username], params[:password])
     end