don't CSRF-protect the instfs backchannel

it's protected by JWT authentication instead test-plan: - when running in an environment with CSRF protection enabled (i.e. not development, e.g. test) - with instfs plugin enabled and service running and configured - try to upload a file - upload should complete without error - in same setup (CSRF protected), try and initiate a file upload outside of the canvas UI, e.g. with curl - should still be blocked by CSRF protection Change-Id: If26d262b4cfb87ddfeb6fffca3493b7d56da7586 Reviewed-on: https://gerrit.instructure.com/130026 Reviewed-by: Andrew Huff <ahuff@instructure.com> QA-Review: Collin Parrish <cparrish@instructure.com> Tested-by: Jenkins Product-Review: Jacob Fugal <jacob@instructure.com>
instructure · Jan 12, 2018 · 8dfd1f9 · 8dfd1f9
1 parent 34092a1
commit 8dfd1f9
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
@@ -108,6 +108,8 @@
 #     }
 #
 class FilesController < ApplicationController
+  protect_from_forgery :except => [:api_capture], with: :exception
+
   before_action :require_user, only: :create_pending
   before_action :require_context, except: [
     :assessment_question_show, :image_thumbnail, :show_thumbnail,