Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add report_csrf_failure, enable custom reports #1573

Merged
merged 3 commits into from Feb 13, 2014
Merged

add report_csrf_failure, enable custom reports #1573

merged 3 commits into from Feb 13, 2014

Conversation

ujifgc
Copy link
Member

@ujifgc ujifgc commented Feb 3, 2014

ref #1566

To render custom error add to your app

enable :protect_from_csrf
enable :report_csrf_failure
error 403 do
  render 'base/error'
end

@dariocravero
Copy link

Thanks @ujifgc! Looks good to me. @skade, thoughts?

@skade
Copy link
Contributor

skade commented Feb 4, 2014

I would prefer if the old key still worked with a warning, for those that configured it.

Just to validate: The current solution doesn't short-circuit in the middleware stack, but instead halts in the routing layer by adding a condition to all routes that halts by default? Seems good to me.

The previous version stemmed from the fact that I tried to keep as close to Rack::Protection standard behaviour as possible.

@ujifgc
Copy link
Member Author

ujifgc commented Feb 4, 2014

As the default behavior now to bubble 403 up to Sinatra do you see any point to watch after this allow_disabled_csrf? Would anyone disable allow_disabled_csrf manually? I added a deprecation notice.

@nesquena nesquena added this to the 0.12.1 milestone Feb 9, 2014
@ujifgc
Copy link
Member Author

ujifgc commented Feb 13, 2014

I reverted enabling report_csrf_failure by default and removed deprecation of enabled allow_disabled_csrf. Also improved tests to ensure custom errors are working.

ujifgc added a commit that referenced this pull request Feb 13, 2014
@ujifgc
Merge pull request #1573 from padrino/clarify-csrf
aa9d108 
add report_csrf_failure, enable custom reports
@ujifgc ujifgc merged commit aa9d108 into master Feb 13, 2014
@ujifgc ujifgc deleted the clarify-csrf branch February 13, 2014 10:11
@ujifgc ujifgc mentioned this pull request Feb 17, 2014
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.12.1
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ujifgc @dariocravero @skade @nesquena