From: Eric Davis Date: Sat, 14 Nov 2009 19:41:07 +0000 (+0000) Subject: Protect controllers from potential CSRF attacks. #4216 X-Git-Tag: 0.9.0~204 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ea0bc56a65102db1c6ad9a0c6942932d73fe9216;p=redmine.git Protect controllers from potential CSRF attacks. #4216 git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3051 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 532595548..2bcfac952 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -25,6 +25,7 @@ class ApplicationController < ActionController::Base before_filter :user_setup, :check_if_login_required, :set_localization filter_parameter_logging :password + protect_from_forgery include Redmine::Search::Controller include Redmine::MenuManager::MenuController diff --git a/config/environments/test.rb b/config/environments/test.rb index 388d2022a..0d1b42e5b 100644 --- a/config/environments/test.rb +++ b/config/environments/test.rb @@ -21,6 +21,9 @@ config.action_controller.session = { :secret => "some secret phrase for the tests." } +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false + config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com" config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com" config.gem "mocha" diff --git a/config/environments/test_pgsql.rb b/config/environments/test_pgsql.rb index 388d2022a..0d1b42e5b 100644 --- a/config/environments/test_pgsql.rb +++ b/config/environments/test_pgsql.rb @@ -21,6 +21,9 @@ config.action_controller.session = { :secret => "some secret phrase for the tests." } +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false + config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com" config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com" config.gem "mocha" diff --git a/config/environments/test_sqlite3.rb b/config/environments/test_sqlite3.rb index 388d2022a..0d1b42e5b 100644 --- a/config/environments/test_sqlite3.rb +++ b/config/environments/test_sqlite3.rb @@ -21,6 +21,9 @@ config.action_controller.session = { :secret => "some secret phrase for the tests." } +# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application +config.action_controller.allow_forgery_protection = false + config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com" config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com" config.gem "mocha"