Use GET for make_friend when the user is not logged in

The POST is only used to avoid cross site attacks against logged
in users, and the login form will defeat that for users that are not
logged in, so use GET when not logged in so that the redirect to the
login form will be done.

diff --git a/app/views/user/view.html.erb b/app/views/user/view.html.erb
index cf74fc0e0b9fbfaef0484fbe37a3ddce9ee4b1f9..fc7b599292f54fc25254a23950396bf35039f073 100644 (file)
--- a/app/views/user/view.html.erb
+++ b/app/views/user/view.html.erb
@@ -75,8 +75,10 @@
           <li>
             <% if @user and @user.is_friends_with?(@this_user) %>
               <%= link_to t('user.view.remove as friend'), remove_friend_path(:display_name => @this_user.display_name), :method => :post %>
-            <% else %>
+            <% elsif @user %>
               <%= link_to t('user.view.add as friend'), make_friend_path(:display_name => @this_user.display_name), :method => :post %>
+            <% else %>
+              <%= link_to t('user.view.add as friend'), make_friend_path(:display_name => @this_user.display_name) %>
             <% end %>
           </li>