From 3ef2bc41182f1230912d48ebd4fa75d31a347692 Mon Sep 17 00:00:00 2001 From: tohosaku Date: Tue, 14 Dec 2021 07:51:04 +0000 Subject: [PATCH] set default_protect_from_forgery true default is true after rails 5.2 --- app/controllers/application_controller.rb | 17 ++++++++++------- config/application.rb | 3 +++ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 15aa665a0..b3e2d13a7 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -38,8 +38,6 @@ class ApplicationController < ActionController::Base layout 'base' - protect_from_forgery - def verify_authenticity_token unless api_request? super @@ -48,11 +46,16 @@ class ApplicationController < ActionController::Base def handle_unverified_request unless api_request? - super - cookies.delete(autologin_cookie_name) - self.logged_user = nil - set_localization - render_error :status => 422, :message => l(:error_invalid_authenticity_token) + begin + super + rescue ActionController::InvalidAuthenticityToken => e + logger.error("ActionController::InvalidAuthenticityToken: #{e.message}") if logger + ensure + cookies.delete(autologin_cookie_name) + self.logged_user = nil + set_localization + render_error :status => 422, :message => l(:error_invalid_authenticity_token) + end end end diff --git a/config/application.rb b/config/application.rb index e74fcbf67..c841ce9e5 100644 --- a/config/application.rb +++ b/config/application.rb @@ -58,6 +58,9 @@ module RedmineApp # Do not include all helpers config.action_controller.include_all_helpers = false + # Add forgery protection + config.action_controller.default_protect_from_forgery = true + # Sets the Content-Length header on responses with fixed-length bodies config.middleware.insert_before Rack::Sendfile, Rack::ContentLength -- 2.30.2