Redmine

Hi,

after upgrading from 2.3.0 to 2.4.1 I could no longer login via openid.

This is the log snippet:

Generated checkid_setup request to https://openid.xxx.com/index.php?user=John.Doe
 with assocication bmshmeqgqqlrpqbu5sjo4g3g84
Started GET "/support/login?_method=post&openid1_claimed_id=...
 for 192.168.x.x at Sun Dec 15 15:24:48 +0100 2013
Processing by AccountController#login as HTML
  Parameters: {"openid1_claimed_id"=>"https://openid.xxx.com/John.Doe", "rp_nonce"=>"2013-12-15T14:24:43ZZ0jbBB"}
WARNING: Can't verify CSRF token authenticity
  Rendered common/error.html.erb within layouts/base (0.8ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 28.0ms (Views: 27.3ms | ActiveRecord: 0.0ms)

After googling a bit I found a solution based on this https://github.com/xaviershay/enki/issues/91

So I tweaked app/controllers/account_controller.rb a bit:

diff redmine/app/controllers/account_controller.rb redmine-2.4.1/app/controllers/account_controller.rb
23,25c23
<   skip_before_filter :check_if_login_required, :check_password_change, :verify_authenticity_token, :only => :login
<   before_filter :verify_authenticity_token_unless_openid, :only => :create
< 
---
>   skip_before_filter :check_if_login_required, :check_password_change
345,349d342
< 
<   def verify_authenticity_token_unless_openid
<     verify_authenticity_token unless using_open_id?
<   end
<

and I can now successfully login.

From my point of view I did not introduce a security issue here but a 2nd opionion would be great before this is added to redmine.