Skip to content

Commit

Permalink
Merge pull request #68 from JoeCohen/csrf
Browse files Browse the repository at this point in the history
Turn on CSRF protection
  • Loading branch information
pellaea committed Feb 8, 2015
2 parents d27c297 + b938bae commit 018954e
Showing 1 changed file with 4 additions and 10 deletions.
14 changes: 4 additions & 10 deletions app/controllers/application_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ class ApplicationController < ActionController::Base
require "csv"
include LoginSystem

# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception

around_filter :catch_errors # if Rails.env == "test"
before_filter :block_ip_addresses
before_filter :kick_out_robots
Expand Down Expand Up @@ -145,16 +149,6 @@ def param_lookup(path, default = nil)
end
end

# The default CSRF handler silently resets the session. The problem is
# autologin will circumvent this, so we would need to disable autologin
# temporarily. Or we can just make forgeries fail, but leave valid requests
# alone. This seems much more graceful... and it lets the user know why they
# are experiencing otherwise bewildering and incorrect behavior.
def handle_unverified_request
render(text: "Cross-site Request Forgery detected!", layout: false)
return false
end

# Physically eject robots unless they're looking at accepted pages.
def kick_out_robots
return true unless browser.bot?
Expand Down

0 comments on commit 018954e

Please sign in to comment.