Prevent CSRF bypass with password reset form

[rails.git] / app / controllers / users_controller.rb

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8e3f0a355516be99f539039855a8bd270e40b483..c2cbca4ae8defe29675e24ab933c37c732e49aa2 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -151,7 +151,7 @@ class UsersController < ApplicationController
   def lost_password
     @title = t "users.lost_password.title"
 
-    if params[:email]
+    if request.post?
       user = User.visible.find_by(:email => params[:email])
 
       if user.nil?