Let the secret token be set in configuration.yml.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9567 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 15 insertions, 0 deletions

diff --git a/config/configuration.yml.example b/config/configuration.yml.example
index 9fefdde22..2224cd130 100644
--- a/config/configuration.yml.example
+++ b/config/configuration.yml.example
@@ -154,6 +154,15 @@ default:
   #
   #mirror_plugins_assets_on_startup: false
 
+  # Your secret key for verifying cookie session data integrity. If you
+  # change this key, all old sessions will become invalid! Make sure the
+  # secret is at least 30 characters and all random, no regular words or
+  # you'll be exposed to dictionary attacks.
+  #
+  # If you have a load-balancing Redmine cluster, you have to use the
+  # same secret token on each machine.
+  #secret_token: 'change it to a long random string'
+
 # specific configuration options for production environment
 # that overrides the default ones
 production:
diff --git a/config/initializers/30-redmine.rb b/config/initializers/30-redmine.rb
index 58972b023..11a248959 100644
--- a/config/initializers/30-redmine.rb
+++ b/config/initializers/30-redmine.rb
@@ -4,6 +4,12 @@ I18n::Backend::Simple.send(:include, I18n::Backend::Fallbacks)
 
 require 'redmine'
 
+# Load the secret token from the Redmine configuration file
+secret = Redmine::Configuration['secret_token']
+if secret.present?
+  RedmineApp::Application.config.secret_token = secret
+end
+
 Redmine::Plugin.load
 unless Redmine::Configuration['mirror_plugins_assets_on_startup'] == false
   Redmine::Plugin.mirror_assets