diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2013-11-22 22:57:30 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2013-11-22 22:57:30 +0000 |
| commit | 5c0078c63a201a42b972d6b2869ec21810da0b95 (patch) | |
| tree | b7dfd537c350288296ecd57fe3c876e2f5d845da | |
| parent | bba304ef390789627052d235c1f2bfd2227e4f2c (diff) | |
| download | redmine-5c0078c63a201a42b972d6b2869ec21810da0b95.tar.gz redmine-5c0078c63a201a42b972d6b2869ec21810da0b95.zip | |
Fixed that non-GET API requests respond with 422 (#15427).
git-svn-id: http://svn.redmine.org/redmine/trunk@12311 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/application_controller.rb | 16 | ||||
| -rw-r--r-- | test/integration/api_test/api_test.rb | 41 |
2 files changed, 52 insertions, 5 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index fa97b179c..228be479e 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -33,13 +33,19 @@ class ApplicationController < ActionController::Base layout 'base' protect_from_forgery + + def verify_authenticity_token + unless api_request? + super + end + end + def handle_unverified_request - super - cookies.delete(autologin_cookie_name) - if api_request? - logger.error "API calls must include a proper Content-type header (application/xml or application/json)." + unless api_request? + super + cookies.delete(autologin_cookie_name) + render_error :status => 422, :message => "Invalid form authenticity token." end - render_error :status => 422, :message => "Invalid form authenticity token." end before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization diff --git a/test/integration/api_test/api_test.rb b/test/integration/api_test/api_test.rb new file mode 100644 index 000000000..f4eb3b421 --- /dev/null +++ b/test/integration/api_test/api_test.rb @@ -0,0 +1,41 @@ +# Redmine - project management software +# Copyright (C) 2006-2013 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../../test_helper', __FILE__) + +class Redmine::ApiTest::ApiTest < Redmine::ApiTest::Base + fixtures :users + + def setup + Setting.rest_api_enabled = '1' + end + + def test_api_should_work_with_protect_from_forgery + ActionController::Base.allow_forgery_protection = true + assert_difference('User.count') do + post '/users.xml', { + :user => { + :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname', + :mail => 'foo@example.net', :password => 'secret123'} + }, + credentials('admin') + assert_response 201 + end + ensure + ActionController::Base.allow_forgery_protection = false + end +end
\ No newline at end of file |