Force openid callbacks to use GET to avoid CSRF validation issues
authorTom Hughes <tom@compton.nu>
Wed, 19 Oct 2011 19:34:06 +0000 (20:34 +0100)
committerTom Hughes <tom@compton.nu>
Mon, 14 Nov 2011 09:42:57 +0000 (09:42 +0000)
app/controllers/user_controller.rb

index 86689644c8032b5139aae2dcfa7b5ed1dabd75c8..92a602ff17776a26b9c2ab43e237409daedcc0bf 100644 (file)
@@ -522,7 +522,7 @@ private
     end
 
     # Start the authentication
     end
 
     # Start the authentication
-    authenticate_with_open_id(openid_expand_url(openid_url), :required => required) do |result, identity_url, sreg, ax|
+    authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => required) do |result, identity_url, sreg, ax|
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.
@@ -570,7 +570,7 @@ private
   def openid_verify(openid_url, user)
     user.openid_url = openid_url
 
   def openid_verify(openid_url, user)
     user.openid_url = openid_url
 
-    authenticate_with_open_id(openid_expand_url(openid_url)) do |result, identity_url|
+    authenticate_with_open_id(openid_expand_url(openid_url), :method => :get) do |result, identity_url|
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.