Manually invoke verify_authenticity_token for non-Account contexts

instructure · Dec 6, 2017 · f11849a · f11849a
1 parent 9e0e04f
commit f11849a
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
@@ -108,6 +108,10 @@
 #     }
 #
 class FilesController < ApplicationController
+  # show_relative is exempted from protect_from_forgery in order to allow 
+  # brand-config-uploaded JS to work
+  # verify_authenticity_token is manually-invoked where @context is not 
+  # an Account in show_relative
   protect_from_forgery except: :show_relative
   before_action :require_user, only: :create_pending
   before_action :require_context, except: [
@@ -568,6 +572,10 @@ def show_relative
     file_id = params[:file_id]
     file_id = nil unless file_id.to_s =~ Api::ID_REGEX
 
+    # Manually-invoke verify_authenticity_token for non-Account contexts
+    # This is to allow Account-level file downloads to skip request forgery protection
+    verify_authenticity_token unless @context.is_a?(Account)
+
     #if the relative path matches the given file id use that file
     if file_id && @attachment = @context.attachments.where(id: file_id).first
       unless @attachment.matches_full_display_path?(path) || @attachment.matches_full_path?(path)