From 44ffca31030651ca9d816cfd7d0784d0652c4ee5 Mon Sep 17 00:00:00 2001
From: Seb Bacon <seb.bacon@gmail.com>
Date: Wed, 27 Jul 2011 15:27:22 +0100
Subject: Don't treat CSRF tokens as optional session data for administrators
 (they're needed to allow them to edit anything! Fixes #95

(Also change wording of test namess to match usual rspec convention)
---
 app/controllers/admin_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'app/controllers/admin_controller.rb')

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 375c19529..655670b5a 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -51,7 +51,10 @@ class AdminController < ApplicationController
             if !username.empty? && !password.empty?
                 authenticate_or_request_with_http_basic do |user_name, password|
                     user_name == username && password == password
+                    session[:using_admin] = 1
                 end
+            else
+                session[:using_admin] = 1
             end
 	end
 end
-- 
cgit v1.2.3