about summary refs log tree commit diff
diff options
context:
space:
mode:
authorPatrick Figel <patrick@figel.email>2018-01-15 06:51:23 +0100
committerEugen Rochko <eugen@zeonfederated.com>2018-01-15 06:51:23 +0100
commit537d2939b10df9121e5a9f13a9d66c568ff681bf (patch)
tree8e4dcb8a4566497534ad0bd81b12c318bd760bcb
parent2091ae92be5d04cd4dadb2200c507ce8d8d2623e (diff)
Suppress CSRF token warnings (#6240)
CSRF token checking was enabled for API controllers in #6223,
producing "Can't verify CSRF token authenticity" log spam. This
disables logging of failed CSRF checks.

This also changes the protection strategy for
PushSubscriptionsController to use exceptions, making it consistent
with other controllers that use sessions.
-rw-r--r--app/controllers/api/web/push_subscriptions_controller.rb1
-rw-r--r--config/initializers/suppress_csrf_warnings.rb3
2 files changed, 4 insertions, 0 deletions
diff --git a/app/controllers/api/web/push_subscriptions_controller.rb b/app/controllers/api/web/push_subscriptions_controller.rb
index 52e250d02..68ccbd5e2 100644
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@@ -4,6 +4,7 @@ class Api::Web::PushSubscriptionsController < Api::BaseController
   respond_to :json
 
   before_action :require_user!
+  protect_from_forgery with: :exception
 
   def create
     params.require(:subscription).require(:endpoint)
diff --git a/config/initializers/suppress_csrf_warnings.rb b/config/initializers/suppress_csrf_warnings.rb
new file mode 100644
index 000000000..410ab585b
--- /dev/null
+++ b/config/initializers/suppress_csrf_warnings.rb
@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+ActionController::Base.log_warning_on_csrf_failure = false