Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

- Skip CSRF validation if config.action_controller.allow_forgery_protection is disabled (Rails standard).

Browse source 
- Improved CSRF request method check (inspired by Rails).
This commit is contained in:
Thorsten Eckel 2018-07-09 08:47:03 +02:00
parent b96de74964
commit 348429940d
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/application_controller/prevents_csrf.rb
View file

@ -14,8 +14,10 @@ module ApplicationController::PreventsCsrf
end end
def verify_csrf_token def verify_csrf_token
return true if request.method != 'POST' && request.method != 'PUT' && request.method != 'DELETE' && request.method != 'PATCH' return true if !protect_against_forgery?
return true if @_auth_type == 'token_auth' || @_auth_type == 'basic_auth' return true if request.get?
return true if request.head?
return true if %w[token_auth basic_auth].include?(@_auth_type)
return true if valid_authenticity_token?(session, params[:authenticity_token] || request.headers['X-CSRF-Token']) return true if valid_authenticity_token?(session, params[:authenticity_token] || request.headers['X-CSRF-Token'])
logger.info 'CSRF token verification failed' logger.info 'CSRF token verification failed'
raise Exceptions::NotAuthorized, 'CSRF token verification failed!' raise Exceptions::NotAuthorized, 'CSRF token verification failed!'