Protect controllers from potential CSRF attacks. #4216

author Eric Davis <edavis@littlestreamsoftware.com>

Sat, 14 Nov 2009 19:41:07 +0000 (19:41 +0000)

committer Eric Davis <edavis@littlestreamsoftware.com>

Sat, 14 Nov 2009 19:41:07 +0000 (19:41 +0000)
author Eric Davis <edavis@littlestreamsoftware.com>
Sat, 14 Nov 2009 19:41:07 +0000 (19:41 +0000)
committer Eric Davis <edavis@littlestreamsoftware.com>
Sat, 14 Nov 2009 19:41:07 +0000 (19:41 +0000)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index 53259554813b5c49c3a6646471b3bc2addc5aed8..2bcfac9522cb397496d757b80f103d2e72fd22f0 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -25,6 +25,7 @@ class ApplicationController < ActionController::Base
    
    before_filter :user_setup, :check_if_login_required, :set_localization
    filter_parameter_logging :password
+  protect_from_forgery
    
    include Redmine::Search::Controller
    include Redmine::MenuManager::MenuController
diff --git a/config/environments/test.rb b/config/environments/test.rb

index 388d2022a75c980fdcfcd5709035ea6d0feb5487..0d1b42e5be2ff1ad148913625a4464ac13177ba4 100644 (file)
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -21,6 +21,9 @@ config.action_controller.session = {
    :secret => "some secret phrase for the tests."
  }
  
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
+
  config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com"
  config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com"
  config.gem "mocha"
diff --git a/config/environments/test_pgsql.rb b/config/environments/test_pgsql.rb

index 388d2022a75c980fdcfcd5709035ea6d0feb5487..0d1b42e5be2ff1ad148913625a4464ac13177ba4 100644 (file)
--- a/config/environments/test_pgsql.rb
+++ b/config/environments/test_pgsql.rb
@@ -21,6 +21,9 @@ config.action_controller.session = {
    :secret => "some secret phrase for the tests."
  }
  
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
+
  config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com"
  config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com"
  config.gem "mocha"
diff --git a/config/environments/test_sqlite3.rb b/config/environments/test_sqlite3.rb

index 388d2022a75c980fdcfcd5709035ea6d0feb5487..0d1b42e5be2ff1ad148913625a4464ac13177ba4 100644 (file)
--- a/config/environments/test_sqlite3.rb
+++ b/config/environments/test_sqlite3.rb
@@ -21,6 +21,9 @@ config.action_controller.session = {
    :secret => "some secret phrase for the tests."
  }
  
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
+
  config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com"
  config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com"
  config.gem "mocha"
author	Eric Davis <edavis@littlestreamsoftware.com>
	Sat, 14 Nov 2009 19:41:07 +0000 (19:41 +0000)
committer	Eric Davis <edavis@littlestreamsoftware.com>
	Sat, 14 Nov 2009 19:41:07 +0000 (19:41 +0000)
app/controllers/application_controller.rb		patch \| blob \| history
config/environments/test.rb		patch \| blob \| history
config/environments/test_pgsql.rb		patch \| blob \| history
config/environments/test_sqlite3.rb		patch \| blob \| history