-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CSRF protection in entire application - Long term project #744
Comments
Hi, Lalith - will this be a Note also that a CSRF token is sent with inline image uploads on the old #739 shows how I'm trying to On Sun, Aug 28, 2016 at 2:33 PM, Lalith Rallabhandi <
|
@jywarren do we need this issue? |
I think it's a good idea for someone to go through and ensure we are using
this properly; best keep open. Thanks!
…On Mon, Mar 25, 2019 at 2:45 PM Gaurav Sachdeva ***@***.***> wrote:
@jywarren <https://github.com/jywarren> do we need this issue?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#744 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABfJ_12idnyf_FvEfN4bozlmJbEU8RYks5vaRkcgaJpZM4Ju_EV>
.
|
Isn't CSRF protection in-built to Rails? Also, in protect_from_forgery unless: -> { is_dataurl_post } In <input
type="hidden"
name="authenticity_token"
value="<%= form_authenticity_token %>"
/> Is this how it should be extended to other forms? |
What happened just before the problem occurred
This could be added as sub-project for next GSOC.
Most of the forms used in PublicLab doesn't contain csrf token parameter as we don't use rails form helpers
form_tag
form_for
It could be nice to replace
<form
tag withform_tag
with will add csrf token automatically. Once if you can get work with one form and get it working, it would be same for other forms as well. Solving this issue could actually introduce you to different views and features of PublicLab.Tests
As functional tests doesn't have csrf enabled. you need to add a test something like below one to test csrf protection.
PublicLab.org username
Lalithr95
(to help reproduce the issue)
cc: @jywarren
The text was updated successfully, but these errors were encountered: