Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run CSRF protection before all other controller filters #81

Merged
merged 3 commits into from Apr 24, 2019

Conversation

Projects
None yet
2 participants
@tvdeyen
Copy link
Member

commented Apr 24, 2019

Rails 5.2 does not prepend forgery protection before all other controller filters anymore. If you access the current_user method in an before filter (for instance because you want to store its id in an error tracking service context) you will see a "Can't verify CSRF token authenticity" error in your logs and the login fails.

Fixed by prepending the CSRF forgery protection in our sessions controller.

Closes #80

tvdeyen added some commits Apr 24, 2019

Ensure CSRF protection runs before all other filters
Rails 5.2 does not prepend forgery protection before all other controller filters anymore. If you access the `current_user` method in an before filter (for instance because you want to store its id in an error tracking service context) you will see a "Can't verify CSRF token authenticity" error in your logs and the login fails.

Fixed by prepending the CSRF forgery protection in our sessions controller.

Closes #80
@mamhoff
Copy link
Contributor

left a comment

Whoa what a find. Good work, thank you!

@tvdeyen tvdeyen merged commit ab1781d into AlchemyCMS:master Apr 24, 2019

2 checks passed

Hakiri No security warnings were found.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@tvdeyen tvdeyen deleted the tvdeyen:fix-80 branch Apr 24, 2019

tvdeyen added a commit that referenced this pull request May 15, 2019

v4.2.1
- Remove test files from built Ruby gem [#82](#82) ([tvdeyen](https://github.com/tvdeyen))
- Run CSRF protection before all other controller filters [#81](#81) ([tvdeyen](https://github.com/tvdeyen))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.