From 50e6f9535ef024feac415bee254dffa537efe383 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Wed, 10 Aug 2022 01:39:30 +0000
Subject: [PATCH] Merged r21766 from trunk to 5.0-stable (#37562).

git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@21767 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/sys_controller.rb      | 3 +++
 test/functional/sys_controller_test.rb | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/app/controllers/sys_controller.rb b/app/controllers/sys_controller.rb
index 4295eed67..9dfd41891 100644
--- a/app/controllers/sys_controller.rb
+++ b/app/controllers/sys_controller.rb
@@ -22,6 +22,9 @@ class SysController < ActionController::Base
 
   before_action :check_enabled
 
+  # Requests from repository WS clients don't contain CSRF tokens
+  skip_before_action :verify_authenticity_token
+
   def projects
     p = Project.active.has_module(:repository).
           order("#{Project.table_name}.identifier").preload(:repository).to_a
diff --git a/test/functional/sys_controller_test.rb b/test/functional/sys_controller_test.rb
index edc5c4945..5a6741fd8 100644
--- a/test/functional/sys_controller_test.rb
+++ b/test/functional/sys_controller_test.rb
@@ -143,4 +143,11 @@ class SysControllerTest < Redmine::ControllerTest
       assert_include 'Access denied', response.body
     end
   end
+
+  def test_should_skip_verify_authenticity_token
+    ActionController::Base.allow_forgery_protection = true
+    assert_nothing_raised {test_create_project_repository}
+  ensure
+    ActionController::Base.allow_forgery_protection = false
+  end
 end
-- 
2.39.5