diff options
author | Akihiko Odaki (@fn_aki@pawoo.net) <akihiko.odaki.4i@stu.hosei.ac.jp> | 2017-06-02 03:56:55 +0900 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-06-01 20:56:55 +0200 |
commit | 10768aa20418a5c3d547da33d80b9ebe3f34efb0 (patch) | |
tree | 777447fa4ba96b3e8be51c39cec48233de472460 | |
parent | e98559c3ff79ccc9b5b866c5351416dd58f2ebee (diff) |
Spec response for forgery (#3248)
Remove protect_from_forgery in ApiController, which is disabled by the following skip_before_action, as well.
-rw-r--r-- | app/controllers/api_controller.rb | 2 | ||||
-rw-r--r-- | spec/controllers/api_controller_spec.rb | 18 | ||||
-rw-r--r-- | spec/controllers/application_controller_spec.rb | 10 |
3 files changed, 28 insertions, 2 deletions
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 1c67b6fdc..1e72549bd 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -4,8 +4,6 @@ class ApiController < ApplicationController DEFAULT_STATUSES_LIMIT = 20 DEFAULT_ACCOUNTS_LIMIT = 40 - protect_from_forgery with: :null_session - skip_before_action :verify_authenticity_token skip_before_action :store_current_location diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb new file mode 100644 index 000000000..1026afbbc --- /dev/null +++ b/spec/controllers/api_controller_spec.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe ApiController, type: :controller do + controller do + def success + head 200 + end + end + + it 'does not protect from forgery' do + ActionController::Base.allow_forgery_protection = true + routes.draw { post 'success' => 'api#success' } + post 'success' + expect(response).to have_http_status(:success) + end +end diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index 83ec02401..9370dcdad 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -37,6 +37,16 @@ describe ApplicationController, type: :controller do end end + context 'forgery' do + subject do + ActionController::Base.allow_forgery_protection = true + routes.draw { post 'success' => 'anonymous#success' } + post 'success' + end + + include_examples 'respond_with_error', 422 + end + it "does not force ssl if LOCAL_HTTPS is not 'true'" do routes.draw { get 'success' => 'anonymous#success' } ClimateControl.modify LOCAL_HTTPS: '' do |