From 8c33668e81cf47b5b858c93c307de04e8683fc7c Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Fri, 7 Nov 2014 16:19:19 +0000
Subject: Make clearing a profile photo a post-restricted action

---
 app/controllers/admin_user_controller.rb | 4 ----
 app/views/admin_user/show.html.erb       | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

(limited to 'app')

diff --git a/app/controllers/admin_user_controller.rb b/app/controllers/admin_user_controller.rb
index 6031c816b..bbb5d002a 100644
--- a/app/controllers/admin_user_controller.rb
+++ b/app/controllers/admin_user_controller.rb
@@ -83,10 +83,6 @@ class AdminUserController < AdminController
     def clear_profile_photo
         @admin_user = User.find(params[:id])
 
-        if !request.post?
-            raise "Can only clear profile photo from POST request"
-        end
-
         if @admin_user.profile_photo
             @admin_user.profile_photo.destroy
         end
diff --git a/app/views/admin_user/show.html.erb b/app/views/admin_user/show.html.erb
index 3846bc173..1e7d885c5 100644
--- a/app/views/admin_user/show.html.erb
+++ b/app/views/admin_user/show.html.erb
@@ -4,7 +4,7 @@
 
 <% if @admin_user.profile_photo %>
   <div class="user_photo_on_admin">
-    <%= form_tag admin_clear_profile_photo_path(@admin_user), :multipart => true, :class => "form" do %>
+    <%= form_tag clear_profile_photo_admin_user_path(@admin_user), :multipart => true, :class => "form" do %>
       <img src="<%= get_profile_photo_url(:url_name => @admin_user.url_name) %>">
       <br>
       <%= submit_tag "Clear photo", :class => "btn btn-info" %>
-- 
cgit v1.2.3