Remove CSRF protection from username/password login and from OpenID login.

[quix0rs-gnu-social.git] / actions / userbyid.php

diff --git a/actions/userbyid.php b/actions/userbyid.php
index 802bcb0815384d5c94295d0c4eadd85350480204..f3e1556f3f143da067a6d259587b8e8edf493e47 100644 (file)
--- a/actions/userbyid.php
+++ b/actions/userbyid.php
@@ -47,17 +47,17 @@ class UserbyidAction extends Action
 {
      /**
      * Is read only?
-     * 
+     *
      * @return boolean true
      */
     function isReadOnly($args)
-    {                
+    {
         return true;
     }
 
      /**
      * Class handler.
-     * 
+     *
      * @param array $args array of arguments
      *
      * @return nothing
@@ -67,15 +67,18 @@ class UserbyidAction extends Action
         parent::handle($args);
         $id = $this->trimmed('id');
         if (!$id) {
-            $this->clientError(_('No id.'));
+            $this->clientError(_('No ID.'));
         }
-        $user =& User::staticGet($id);
+        $user = User::staticGet($id);
         if (!$user) {
             $this->clientError(_('No such user.'));
         }
 
-        // support redirecting to FOAF rdf/xml if the agent prefers it
-        $page_prefs = 'application/rdf+xml,text/html,application/xhtml+xml,application/xml;q=0.3,text/xml;q=0.2';
+        // Support redirecting to FOAF rdf/xml if the agent prefers it...
+        // Internet Explorer doesn't specify "text/html" and does list "*/*"
+        // at least through version 8. We need to list text/html up front to
+        // ensure that only user-agents who specifically ask for RDF get it.
+        $page_prefs = 'text/html,application/xhtml+xml,application/rdf+xml,application/xml;q=0.3,text/xml;q=0.2';
         $httpaccept = isset($_SERVER['HTTP_ACCEPT'])
                       ? $_SERVER['HTTP_ACCEPT'] : null;
         $type       = common_negotiate_type(common_accept_to_prefs($httpaccept),
@@ -85,4 +88,3 @@ class UserbyidAction extends Action
         common_redirect($url, 303);
     }
 }
-