Both DashboardController and ModelsController inherit from ApplicationController and it is a direct subclass of ActionController::Base, but it doesn't call protect_from_forgery to turn on CSRF protection. Thus all the controllers in upmin are potentially vulnerable to CSRF attacks. This PR inserts a call in upmin's ApplicationController to turn on CSRF verification in the application.
@mbrookes yep, I am aware of that. I am just submitting this PR just in case there are people still using upmin. Do note that the maintainer announced that he is no longer maintaining this only just five months ago.