From 348429940d27ce6e03d9ff5ce972fd5b51ea8f85 Mon Sep 17 00:00:00 2001
From: Thorsten Eckel <te@znuny.com>
Date: Mon, 9 Jul 2018 08:47:03 +0200
Subject: [PATCH] - Skip CSRF validation if
 `config.action_controller.allow_forgery_protection` is disabled (Rails
 standard). - Improved CSRF request method check (inspired by Rails).

---
 app/controllers/application_controller/prevents_csrf.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/controllers/application_controller/prevents_csrf.rb b/app/controllers/application_controller/prevents_csrf.rb
index ba7450fac..240daa874 100644
--- a/app/controllers/application_controller/prevents_csrf.rb
+++ b/app/controllers/application_controller/prevents_csrf.rb
@@ -14,8 +14,10 @@ module ApplicationController::PreventsCsrf
   end
 
   def verify_csrf_token
-    return true if request.method != 'POST' && request.method != 'PUT' && request.method != 'DELETE' && request.method != 'PATCH'
-    return true if @_auth_type == 'token_auth' || @_auth_type == 'basic_auth'
+    return true if !protect_against_forgery?
+    return true if request.get?
+    return true if request.head?
+    return true if %w[token_auth basic_auth].include?(@_auth_type)
     return true if valid_authenticity_token?(session, params[:authenticity_token] || request.headers['X-CSRF-Token'])
     logger.info 'CSRF token verification failed'
     raise Exceptions::NotAuthorized, 'CSRF token verification failed!'