From: Tom Hughes <tom@compton.nu>
Date: Wed, 19 Oct 2011 19:34:06 +0000 (+0100)
Subject: Force openid callbacks to use GET to avoid CSRF validation issues
X-Git-Tag: live~6070
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/07b834785f709628baaf3678cd8d81cf72a6ef60?hp=546db822816d87943f93af545ab61bdd5b93fb25

Force openid callbacks to use GET to avoid CSRF validation issues
---

diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 86689644c..92a602ff1 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -522,7 +522,7 @@ private
     end
 
     # Start the authentication
-    authenticate_with_open_id(openid_expand_url(openid_url), :required => required) do |result, identity_url, sreg, ax|
+    authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => required) do |result, identity_url, sreg, ax|
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.
@@ -570,7 +570,7 @@ private
   def openid_verify(openid_url, user)
     user.openid_url = openid_url
 
-    authenticate_with_open_id(openid_expand_url(openid_url)) do |result, identity_url|
+    authenticate_with_open_id(openid_expand_url(openid_url), :method => :get) do |result, identity_url|
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.