Merged r12311 (#15427).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Fri, 22 Nov 2013 23:28:12 +0000 (23:28 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Fri, 22 Nov 2013 23:28:12 +0000 (23:28 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Fri, 22 Nov 2013 23:28:12 +0000 (23:28 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Fri, 22 Nov 2013 23:28:12 +0000 (23:28 +0000)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index fa97b179c93d4078b3bc3b62dad21d436f92e478..228be479ee914373b8dd7dfe15a81c4db5faff66 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -33,13 +33,19 @@ class ApplicationController < ActionController::Base
    layout 'base'
  
    protect_from_forgery
+
+  def verify_authenticity_token
+    unless api_request?
+      super
+    end
+  end
+
    def handle_unverified_request
-    super
-    cookies.delete(autologin_cookie_name)
-    if api_request?
-      logger.error "API calls must include a proper Content-type header (application/xml or application/json)."
+    unless api_request?
+      super
+      cookies.delete(autologin_cookie_name)
+      render_error :status => 422, :message => "Invalid form authenticity token."
      end
-    render_error :status => 422, :message => "Invalid form authenticity token."
    end
  
    before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization
diff --git a/test/integration/api_test/api_test.rb b/test/integration/api_test/api_test.rb

new file mode 100644 (file)

index 0000000..f4eb3b4
--- /dev/null
+++ b/test/integration/api_test/api_test.rb
@@ -0,0 +1,41 @@
+# Redmine - project management software
+# Copyright (C) 2006-2013  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require File.expand_path('../../../test_helper', __FILE__)
+
+class Redmine::ApiTest::ApiTest < Redmine::ApiTest::Base
+  fixtures :users
+
+  def setup
+    Setting.rest_api_enabled = '1'
+  end
+
+  def test_api_should_work_with_protect_from_forgery
+    ActionController::Base.allow_forgery_protection = true
+    assert_difference('User.count') do
+      post '/users.xml', {
+        :user => {
+          :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
+          :mail => 'foo@example.net', :password => 'secret123'}
+        },
+        credentials('admin')
+      assert_response 201
+    end
+  ensure
+    ActionController::Base.allow_forgery_protection = false
+  end
+end
+\ No newline at end of file
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Fri, 22 Nov 2013 23:28:12 +0000 (23:28 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Fri, 22 Nov 2013 23:28:12 +0000 (23:28 +0000)
app/controllers/application_controller.rb		patch \| blob \| history
test/integration/api_test/api_test.rb	[new file with mode: 0644]	patch \| blob