Prevent CSRF bypass updating account details

Fixes #3089

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 0538d04093a96fc0eba38e6a62d585edcfe79532..8e3f0a355516be99f539039855a8bd270e40b483 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -123,7 +123,7 @@ class UsersController < ApplicationController
       :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
     )
 
-    if params[:user] && params[:user][:display_name] && params[:user][:description]
+    if request.post?
       if params[:user][:auth_provider].blank? ||
          (params[:user][:auth_provider] == current_user.auth_provider &&
           params[:user][:auth_uid] == current_user.auth_uid)

diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index 03657d2883dbfc6b26669f13e2b907b7e1e71b40..02e5db7db25dd54d5cd3ae5d19f85817040fca82 100644 (file)
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -949,6 +949,14 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
       assert_equal "/user/#{ERB::Util.u(user.display_name)}/account", form.attr("action").to_s
     end
 
+    # Updating the description using GET should fail
+    user.description = "new description"
+    user.preferred_editor = "default"
+    get user_account_path(user), :params => { :user => user.attributes }
+    assert_response :success
+    assert_template :account
+    assert_not_equal user.description, User.find(user.id).description
+
     # Updating the description should work
     user.description = "new description"
     user.preferred_editor = "default"