0001-set-default_protect_from_forgery-true.patch

Takashi Kato, 2021-12-14 23:42

Download (2.07 KB)

View differences:

app/controllers/application_controller.rb
38 38

  
39 39
  layout 'base'
40 40

  
41
  protect_from_forgery
42

  
43 41
  def verify_authenticity_token
44 42
    unless api_request?
45 43
      super
......
48 46

  
49 47
  def handle_unverified_request
50 48
    unless api_request?
51
      super
52
      cookies.delete(autologin_cookie_name)
53
      self.logged_user = nil
54
      set_localization
55
      render_error :status => 422, :message => l(:error_invalid_authenticity_token)
49
      begin
50
        super
51
      rescue ActionController::InvalidAuthenticityToken => e
52
        logger.error("ActionController::InvalidAuthenticityToken: #{e.message}") if logger
53
      ensure
54
        cookies.delete(autologin_cookie_name)
55
        self.logged_user = nil
56
        set_localization
57
        render_error :status => 422, :message => l(:error_invalid_authenticity_token)
58
      end
56 59
    end
57 60
  end
58 61

  
config/application.rb
58 58
    # Do not include all helpers
59 59
    config.action_controller.include_all_helpers = false
60 60

  
61
    # Add forgery protection
62
    config.action_controller.default_protect_from_forgery = true
63

  
61 64
    # Sets the Content-Length header on responses with fixed-length bodies
62 65
    config.middleware.insert_before Rack::Sendfile, Rack::ContentLength
63 66

  
64
-