From b650a2272544c51ee9ec8bce33bcb113bfd579e8 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 2 Jun 2013 19:08:32 +0100
Subject: [PATCH] Use GET for make_friend when the user is not logged in

The POST is only used to avoid cross site attacks against logged
in users, and the login form will defeat that for users that are not
logged in, so use GET when not logged in so that the redirect to the
login form will be done.
---
 app/views/user/view.html.erb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/views/user/view.html.erb b/app/views/user/view.html.erb
index cf74fc0e0..fc7b59929 100644
--- a/app/views/user/view.html.erb
+++ b/app/views/user/view.html.erb
@@ -75,8 +75,10 @@
           <li>
             <% if @user and @user.is_friends_with?(@this_user) %>
               <%= link_to t('user.view.remove as friend'), remove_friend_path(:display_name => @this_user.display_name), :method => :post %>
-            <% else %>
+            <% elsif @user %>
               <%= link_to t('user.view.add as friend'), make_friend_path(:display_name => @this_user.display_name), :method => :post %>
+            <% else %>
+              <%= link_to t('user.view.add as friend'), make_friend_path(:display_name => @this_user.display_name) %>
             <% end %>
           </li>
 
-- 
2.43.2