From ea0bc56a65102db1c6ad9a0c6942932d73fe9216 Mon Sep 17 00:00:00 2001
From: Eric Davis <edavis@littlestreamsoftware.com>
Date: Sat, 14 Nov 2009 19:41:07 +0000
Subject: [PATCH] Protect controllers from potential CSRF attacks. #4216

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3051 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/application_controller.rb | 1 +
 config/environments/test.rb               | 3 +++
 config/environments/test_pgsql.rb         | 3 +++
 config/environments/test_sqlite3.rb       | 3 +++
 4 files changed, 10 insertions(+)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 532595548..2bcfac952 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -25,6 +25,7 @@ class ApplicationController < ActionController::Base
   
   before_filter :user_setup, :check_if_login_required, :set_localization
   filter_parameter_logging :password
+  protect_from_forgery
   
   include Redmine::Search::Controller
   include Redmine::MenuManager::MenuController
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 388d2022a..0d1b42e5b 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -21,6 +21,9 @@ config.action_controller.session = {
   :secret => "some secret phrase for the tests."
 }
 
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
+
 config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com"
 config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com"
 config.gem "mocha"
diff --git a/config/environments/test_pgsql.rb b/config/environments/test_pgsql.rb
index 388d2022a..0d1b42e5b 100644
--- a/config/environments/test_pgsql.rb
+++ b/config/environments/test_pgsql.rb
@@ -21,6 +21,9 @@ config.action_controller.session = {
   :secret => "some secret phrase for the tests."
 }
 
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
+
 config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com"
 config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com"
 config.gem "mocha"
diff --git a/config/environments/test_sqlite3.rb b/config/environments/test_sqlite3.rb
index 388d2022a..0d1b42e5b 100644
--- a/config/environments/test_sqlite3.rb
+++ b/config/environments/test_sqlite3.rb
@@ -21,6 +21,9 @@ config.action_controller.session = {
   :secret => "some secret phrase for the tests."
 }
 
+# Skip protect_from_forgery in requests http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application
+config.action_controller.allow_forgery_protection  = false
+
 config.gem "thoughtbot-shoulda", :lib => "shoulda", :source => "http://gems.github.com"
 config.gem "nofxx-object_daddy", :lib => "object_daddy", :source => "http://gems.github.com"
 config.gem "mocha"
-- 
2.39.5