identify user by id so rerendering the form does not use new invalid login

1 files changed, 11 insertions, 4 deletions

diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index ecab53b..3913d0d 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -1,6 +1,8 @@
 class UsersController < ApplicationController
 
-  skip_before_filter :verify_authenticity_token
+  skip_before_filter :verify_authenticity_token, :only => [:create]
+
+  before_filter :fetch_user, :only => [:edit, :update]
 
   respond_to :json, :html
 
@@ -17,12 +19,17 @@ class UsersController < ApplicationController
   end
 
   def edit
-    @user = current_user
   end
 
   def update
-    @user = current_user
-    @user.update(params[:user])
+    @user.update_attributes(params[:user])
     respond_with(@user, :location => edit_user_path(@user))
   end
+
+  protected
+
+  def fetch_user
+    @user = User.find_by_param(params[:id])
+    access_denied unless @user == current_user
+  end
 end