2 files changed, 13 insertions, 10 deletions

diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index ecab53b..3913d0d 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -1,6 +1,8 @@
 class UsersController < ApplicationController
 
-  skip_before_filter :verify_authenticity_token
+  skip_before_filter :verify_authenticity_token, :only => [:create]
+
+  before_filter :fetch_user, :only => [:edit, :update]
 
   respond_to :json, :html
 
@@ -17,12 +19,17 @@ class UsersController < ApplicationController
   end
 
   def edit
-    @user = current_user
   end
 
   def update
-    @user = current_user
-    @user.update(params[:user])
+    @user.update_attributes(params[:user])
     respond_with(@user, :location => edit_user_path(@user))
   end
+
+  protected
+
+  def fetch_user
+    @user = User.find_by_param(params[:id])
+    access_denied unless @user == current_user
+  end
 end
diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index 507eda5..624754b 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -29,9 +29,7 @@ class User < CouchRest::Model::Base
   end
 
   class << self
-    def find_by_param(login)
-      return find_by_login(login) || raise(RECORD_NOT_FOUND)
-    end
+    alias_method :find_by_param, :find
 
     # valid set of attributes for testing
     def valid_attributes_hash
@@ -42,9 +40,7 @@ class User < CouchRest::Model::Base
 
   end
 
-  def to_param
-    self.login
-  end
+  alias_method :to_param, :id
 
   def to_json(options={})
     {