From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 2 Aug 2017 13:58:03 +0000 (+0100)
Subject: Avoid passing the current_user.id when commenting
X-Git-Tag: live~3002^2~107
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/980422533d315d623c0a880721e0f8a91c5ec19f

Avoid passing the current_user.id when commenting

Doing so doesn't appear to be necessary, and it opens up a spoofing
hole if it's actually used.
---

diff --git a/app/views/issues/_comments.html.erb b/app/views/issues/_comments.html.erb
index 6c684c253..6e0f241b2 100644
--- a/app/views/issues/_comments.html.erb
+++ b/app/views/issues/_comments.html.erb
@@ -20,7 +20,7 @@
 </div>
 <br/>
 <div class="comment">
-  <%= form_for :issue_comment, :url => { :action => 'comment', :id => @issue.id, :user_id => current_user.id } do |f| %>
+  <%= form_for :issue_comment, :url => { :action => 'comment', :id => @issue.id } do |f| %>
   <%= richtext_area :issue_comment, :body, :cols => 10, :rows => 8, :required => true %>
   <%= label_tag t('issues.show.comments.reassign_param') %> <%= check_box_tag :reassign, true %>
   <br/>