cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent CSRF bypass updating account details

Browse source 
Fixes #3089
This commit is contained in:
Tom Hughes 2021-02-08 12:24:43 +00:00
parent 65c11d3faf
commit 7810734ac4
2 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/users_controller.rb
View file

@ -123,7 +123,7 @@ class UsersController < ApplicationController
:form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
)
if params[:user] && params[:user][:display_name] && params[:user][:description]
if request.post?
if params[:user][:auth_provider].blank? ||
(params[:user][:auth_provider] == current_user.auth_provider &&
params[:user][:auth_uid] == current_user.auth_uid)