presidentbeef · presidentbeef · Nov 29, 2016 · Nov 7, 2016
diff --git a/test/apps/rails5/app/controllers/concerns/forgery_protection.rb b/test/apps/rails5/app/controllers/concerns/forgery_protection.rb
@@ -0,0 +1,7 @@
+module ForgeryProtection
+  extend ActiveSupport::Concern
+
+  included do
+    protect_from_forgery with: :exception
+  end
+end
diff --git a/test/apps/rails5/app/controllers/mixed_controller.rb b/test/apps/rails5/app/controllers/mixed_controller.rb
@@ -0,0 +1,4 @@
+class BaseController < ActionController::Base
+  # No protect_from_forgery call, but one mixed in
+  include ForgeryProtection
+end
diff --git a/test/tests/rails5.rb b/test/tests/rails5.rb
@@ -410,4 +410,12 @@ def test_link_to_href_safe_interpolation
       :code => s(:call, nil, :link_to, s(:str, "Email!"), s(:dstr, "mailto:", s(:evstr, s(:call, s(:params), :[], s(:lit, :x))))),
       :user_input => s(:call, s(:params), :[], s(:lit, :x))
   end
+
+  def test_mixed_in_csrf_protection
+    assert_no_warning :type => :controller,
+      :warning_type => "Cross-Site Request Forgery",
+      :line => 1,
+      :message => /^'protect_from_forgery'\ should\ be\ called\ /,
+      :relative_path => "app/controllers/mixed_controller.rb"
+  end
 end