POST Requests to repository WS fail with "Can't verify CSRF token authenticity" ...

author Go MAEDA <maeda@farend.jp>

Wed, 10 Aug 2022 01:34:37 +0000 (01:34 +0000)

committer Go MAEDA <maeda@farend.jp>

Wed, 10 Aug 2022 01:34:37 +0000 (01:34 +0000)
author Go MAEDA <maeda@farend.jp>
Wed, 10 Aug 2022 01:34:37 +0000 (01:34 +0000)
committer Go MAEDA <maeda@farend.jp>
Wed, 10 Aug 2022 01:34:37 +0000 (01:34 +0000)
diff --git a/app/controllers/sys_controller.rb b/app/controllers/sys_controller.rb

index 4295eed67f185bba7413763e5da946d227f2b9a1..9dfd41891b71e0dbd2662815b808bf1007c3dc5e 100644 (file)
--- a/app/controllers/sys_controller.rb
+++ b/app/controllers/sys_controller.rb
@@ -22,6 +22,9 @@ class SysController < ActionController::Base
  
    before_action :check_enabled
  
+  # Requests from repository WS clients don't contain CSRF tokens
+  skip_before_action :verify_authenticity_token
+
    def projects
      p = Project.active.has_module(:repository).
            order("#{Project.table_name}.identifier").preload(:repository).to_a
diff --git a/test/functional/sys_controller_test.rb b/test/functional/sys_controller_test.rb

index edc5c4945cc329200655f1968971332a40ad8834..5a6741fd84a18f39351f0d6be280946d0e42e075 100644 (file)
--- a/test/functional/sys_controller_test.rb
+++ b/test/functional/sys_controller_test.rb
@@ -143,4 +143,11 @@ class SysControllerTest < Redmine::ControllerTest
        assert_include 'Access denied', response.body
      end
    end
+
+  def test_should_skip_verify_authenticity_token
+    ActionController::Base.allow_forgery_protection = true
+    assert_nothing_raised {test_create_project_repository}
+  ensure
+    ActionController::Base.allow_forgery_protection = false
+  end
  end
author	Go MAEDA <maeda@farend.jp>
	Wed, 10 Aug 2022 01:34:37 +0000 (01:34 +0000)
committer	Go MAEDA <maeda@farend.jp>
	Wed, 10 Aug 2022 01:34:37 +0000 (01:34 +0000)
app/controllers/sys_controller.rb		patch \| blob \| history
test/functional/sys_controller_test.rb		patch \| blob \| history