diff options
| -rw-r--r-- | app/controllers/sys_controller.rb | 3 | ||||
| -rw-r--r-- | test/functional/sys_controller_test.rb | 7 |
2 files changed, 10 insertions, 0 deletions
diff --git a/app/controllers/sys_controller.rb b/app/controllers/sys_controller.rb index 4295eed67..9dfd41891 100644 --- a/app/controllers/sys_controller.rb +++ b/app/controllers/sys_controller.rb @@ -22,6 +22,9 @@ class SysController < ActionController::Base before_action :check_enabled + # Requests from repository WS clients don't contain CSRF tokens + skip_before_action :verify_authenticity_token + def projects p = Project.active.has_module(:repository). order("#{Project.table_name}.identifier").preload(:repository).to_a diff --git a/test/functional/sys_controller_test.rb b/test/functional/sys_controller_test.rb index edc5c4945..5a6741fd8 100644 --- a/test/functional/sys_controller_test.rb +++ b/test/functional/sys_controller_test.rb @@ -143,4 +143,11 @@ class SysControllerTest < Redmine::ControllerTest assert_include 'Access denied', response.body end end + + def test_should_skip_verify_authenticity_token + ActionController::Base.allow_forgery_protection = true + assert_nothing_raised {test_create_project_repository} + ensure + ActionController::Base.allow_forgery_protection = false + end end |