From: Tom Hughes <tom@compton.nu>
Date: Sun, 2 Jun 2013 18:08:32 +0000 (+0100)
Subject: Use GET for make_friend when the user is not logged in
X-Git-Tag: live~4980
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/b650a2272544c51ee9ec8bce33bcb113bfd579e8

Use GET for make_friend when the user is not logged in

The POST is only used to avoid cross site attacks against logged
in users, and the login form will defeat that for users that are not
logged in, so use GET when not logged in so that the redirect to the
login form will be done.
---

diff --git a/app/views/user/view.html.erb b/app/views/user/view.html.erb
index cf74fc0e0..fc7b59929 100644
--- a/app/views/user/view.html.erb
+++ b/app/views/user/view.html.erb
@@ -75,8 +75,10 @@
           <li>
             <% if @user and @user.is_friends_with?(@this_user) %>
               <%= link_to t('user.view.remove as friend'), remove_friend_path(:display_name => @this_user.display_name), :method => :post %>
-            <% else %>
+            <% elsif @user %>
               <%= link_to t('user.view.add as friend'), make_friend_path(:display_name => @this_user.display_name), :method => :post %>
+            <% else %>
+              <%= link_to t('user.view.add as friend'), make_friend_path(:display_name => @this_user.display_name) %>
             <% end %>
           </li>