Require a form post to finally confirm an account to stop

accidental confirmations.

diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index e998e83c69d86e843f4763f2e42e41bfd295034c..31955d019dd13417f98421898733575c40b441bd 100644 (file)
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -143,17 +143,19 @@ class UserController < ApplicationController
   end
 
   def confirm
-    token = UserToken.find_by_token(params[:confirm_string])
-    if token and !token.user.active?
-      @user = token.user
-      @user.active = true
-      @user.save!
-      token.destroy
-      flash[:notice] = 'Confirmed your account, thanks for signing up!'
-      session[:user] = @user.id
-      redirect_to :action => 'account', :display_name => @user.display_name
-    else
-      flash[:notice] = 'Something went wrong confirming that user.'
+    if params[:confirm_action]
+      token = UserToken.find_by_token(params[:confirm_string])
+      if token and !token.user.active?
+        @user = token.user
+        @user.active = true
+        @user.save!
+        token.destroy
+        flash[:notice] = 'Confirmed your account, thanks for signing up!'
+        session[:user] = @user.id
+        redirect_to :action => 'account', :display_name => @user.display_name
+      else
+        flash[:notice] = 'Something went wrong confirming that user.'
+      end
     end
   end
 

diff --git a/app/views/user/confirm.rhtml b/app/views/user/confirm.rhtml
index 8b137891791fe96927ad78e64b0aad7bded08bdc..5577b7068889c6c2694644ed477bbea77cf21fd7 100644 (file)
--- a/app/views/user/confirm.rhtml
+++ b/app/views/user/confirm.rhtml
@@ -1 +1,10 @@
+<h1>Confirm a user account</h1>
+
+<p>Press the confirm button below to activate your account.</p>
+
+<form method="post">
+<input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
+<input type="submit" name="confirm_action" value="Confrm">
+</form>
+