Use GET for make_friend when the user is not logged in

The POST is only used to avoid cross site attacks against logged in users, and the login form will defeat that for users that are not logged in, so use GET when not logged in so that the redirect to the login form will be done.
2013-06-02 19:08:32 +01:00 · 2013-06-02 19:08:32 +01:00 · b650a22725
commit b650a22725
parent 80903324cf
1 changed files with 3 additions and 1 deletions
--- a/app/views/user/view.html.erb
+++ b/app/views/user/view.html.erb
@ -75,8 +75,10 @@
          <li>
            <% if @user and @user.is_friends_with?(@this_user) %>
              <%= link_to t('user.view.remove as friend'), remove_friend_path(:display_name => @this_user.display_name), :method => :post %>
-            <% else %>
+            <% elsif @user %>
              <%= link_to t('user.view.add as friend'), make_friend_path(:display_name => @this_user.display_name), :method => :post %>
+            <% else %>
+              <%= link_to t('user.view.add as friend'), make_friend_path(:display_name => @this_user.display_name) %>
            <% end %>
          </li>