From: Tom Hughes <tom@compton.nu>
Date: Wed, 2 Aug 2017 14:31:21 +0000 (+0100)
Subject: Make sure the account form is POSTed
X-Git-Tag: live~3330
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/85b0098b1c694de2859ac2aa4b864a6cb947c916?hp=60f2074baca1b36bf02b02be976a2527d60c5fef

Make sure the account form is POSTed

Fixes #1601
---

diff --git a/app/views/user/account.html.erb b/app/views/user/account.html.erb
index 752d1cd01..92b3407bf 100644
--- a/app/views/user/account.html.erb
+++ b/app/views/user/account.html.erb
@@ -11,7 +11,7 @@
 <% end %>
 
 <%= error_messages_for current_user %>
-<%= form_for current_user, :url => { :action => :account }, :html => { :multipart => true, :id => 'accountForm', :class => 'standard-form', :autocomplete => :off } do |f| %>
+<%= form_for current_user, :url => { :action => :account }, :method => :post, :html => { :multipart => true, :id => 'accountForm', :class => 'standard-form', :autocomplete => :off } do |f| %>
   <fieldset>
     <div class="form-row">
       <label class="standard-label"><%= t 'user.new.display name' %></label>
diff --git a/test/controllers/user_controller_test.rb b/test/controllers/user_controller_test.rb
index 4dcb1108a..1404fc795 100644
--- a/test/controllers/user_controller_test.rb
+++ b/test/controllers/user_controller_test.rb
@@ -784,6 +784,7 @@ class UserControllerTest < ActionController::TestCase
     assert_template :account
     assert_select "form#accountForm" do |form|
       assert_equal "post", form.attr("method").to_s
+      assert_select "input[name='_method']", false
       assert_equal "/user/#{URI.encode(user.display_name)}/account", form.attr("action").to_s
     end