Skip to content

Commit

Permalink
Merge pull request #18 from MushroomObserver/ror4
Browse files Browse the repository at this point in the history
Ror4
  • Loading branch information
raysuelzer committed Feb 8, 2015
2 parents a55b484 + 018954e commit 11cc51f
Show file tree
Hide file tree
Showing 3 changed files with 158 additions and 106 deletions.
14 changes: 4 additions & 10 deletions app/controllers/application_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,10 @@ class ApplicationController < ActionController::Base
require "csv"
include LoginSystem

# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception

around_filter :catch_errors # if Rails.env == "test"
before_filter :block_ip_addresses
before_filter :kick_out_robots
Expand Down Expand Up @@ -145,16 +149,6 @@ def param_lookup(path, default = nil)
end
end

# The default CSRF handler silently resets the session. The problem is
# autologin will circumvent this, so we would need to disable autologin
# temporarily. Or we can just make forgeries fail, but leave valid requests
# alone. This seems much more graceful... and it lets the user know why they
# are experiencing otherwise bewildering and incorrect behavior.
def handle_unverified_request
render(text: "Cross-site Request Forgery detected!", layout: false)
return false
end

# Physically eject robots unless they're looking at accepted pages.
def kick_out_robots
return true unless browser.bot?
Expand Down
Loading

0 comments on commit 11cc51f

Please sign in to comment.