identify user by id so rerendering the form does not use new invalid login

author: Azul <azul@leap.se> 2012-11-23 12:11:11 +0100
committer: Azul <azul@leap.se> 2012-11-23 15:09:53 +0100
commit: ee3c9146e4bbe93ec1f00ee45386a82ec4363c4d (patch)
tree: ec673f97f22c13c19c1f9034dfe88646525bdeae /users/app/controllers
parent: 716dc248e940be8bd323a9d92f98785737fc99a0 (diff)
1 files changed, 11 insertions, 4 deletions
diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index ecab53b..3913d0d 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -1,6 +1,8 @@
 class UsersController < ApplicationController
 
-  skip_before_filter :verify_authenticity_token
+  skip_before_filter :verify_authenticity_token, :only => [:create]
+
+  before_filter :fetch_user, :only => [:edit, :update]
 
   respond_to :json, :html
 
@@ -17,12 +19,17 @@ class UsersController < ApplicationController
   end
 
   def edit
-    @user = current_user
   end
 
   def update
-    @user = current_user
-    @user.update(params[:user])
+    @user.update_attributes(params[:user])
     respond_with(@user, :location => edit_user_path(@user))
   end
+
+  protected
+
+  def fetch_user
+    @user = User.find_by_param(params[:id])
+    access_denied unless @user == current_user
+  end
 end
author	Azul <azul@leap.se>	2012-11-23 12:11:11 +0100
committer	Azul <azul@leap.se>	2012-11-23 15:09:53 +0100
commit	ee3c9146e4bbe93ec1f00ee45386a82ec4363c4d (patch)
tree	ec673f97f22c13c19c1f9034dfe88646525bdeae /users/app/controllers
parent	716dc248e940be8bd323a9d92f98785737fc99a0 (diff)