Force openid callbacks to use GET to avoid CSRF validation issues

diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 86689644c8032b5139aae2dcfa7b5ed1dabd75c8..92a602ff17776a26b9c2ab43e237409daedcc0bf 100644 (file)
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -522,7 +522,7 @@ private
     end
 
     # Start the authentication
-    authenticate_with_open_id(openid_expand_url(openid_url), :required => required) do |result, identity_url, sreg, ax|
+    authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => required) do |result, identity_url, sreg, ax|
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.
@@ -570,7 +570,7 @@ private
   def openid_verify(openid_url, user)
     user.openid_url = openid_url
 
-    authenticate_with_open_id(openid_expand_url(openid_url)) do |result, identity_url|
+    authenticate_with_open_id(openid_expand_url(openid_url), :method => :get) do |result, identity_url|
       if result.successful?
         # We need to use the openid url passed back from the OpenID provider
         # rather than the one supplied by the user, as these can be different.