Skip to content
Permalink
Browse files Browse the repository at this point in the history
[webui] Reintroduce CSRF protection for the webui. AUA!
  • Loading branch information
hennevogel authored and adrianschroeter committed Mar 27, 2014
1 parent b1b10ef commit 2188c05
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
9 changes: 9 additions & 0 deletions src/api/app/controllers/webui/webui_controller.rb
Expand Up @@ -13,6 +13,15 @@ class Webui::WebuiController < ActionController::Base
before_filter :require_configuration
after_filter :clean_cache

protect_from_forgery

# We execute both strategies here. The default rails strategy (resetting the session)
# and throwing an exception if the session is handled elswhere (e.g. proxy_auth_mode: :on)
def handle_unverified_request
super
raise ActionController::InvalidAuthenticityToken
end

# :notice and :alert are default, we add :success and :error
add_flash_types :success, :error

Expand Down
1 change: 1 addition & 0 deletions src/api/config/application.rb
Expand Up @@ -105,6 +105,7 @@ class Application < Rails::Application
config.action_dispatch.rescue_responses.merge!('ActiveXML::Transport::ConnectionError' => 503)
config.action_dispatch.rescue_responses.merge!('ActiveXML::Transport::Error' => 500)
config.action_dispatch.rescue_responses.merge!('Timeout::Error' => 408)
config.action_dispatch.rescue_responses.merge!('ActionController::InvalidAuthenticityToken' => 403)

# avoid a warning
I18n.enforce_available_locales = true
Expand Down

1 comment on commit 2188c05

@msmeissn
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.